From eb3751e34e1e10ff092e09955355d47810862171 Mon Sep 17 00:00:00 2001
From: Csaky <tim.csaky@gov.bc.ca>
Date: Thu, 5 Mar 2026 17:07:05 -0800
Subject: [PATCH 1/6] Handle access based on IDP permissions

---
 .../components/bucket/BucketPermission.vue    |   2 +-
 .../bucket/BucketPermissionAddUser.vue        |   4 +-
 .../components/object/ObjectFileDetails.vue   |  20 +-
 frontend/src/components/object/ObjectList.vue |   4 +-
 .../src/components/object/ObjectTable.vue     |   4 +
 frontend/src/components/object/index.ts       |   1 +
 frontend/src/services/permissionService.ts    |  95 +++++++
 frontend/src/store/bucketStore.ts             |  20 +-
 frontend/src/store/objectStore.ts             |  14 +-
 frontend/src/store/permissionStore.ts         | 242 +++++++++++++++++-
 frontend/src/types/BucketIdpPermission.ts     |   8 +
 frontend/src/types/COMSObjectIdpPermission.ts |   8 +
 frontend/src/types/IdpPermissions.ts          |   8 +
 frontend/src/types/UserPermissions.ts         |   2 +-
 frontend/src/types/index.ts                   |   3 +
 .../options/BucketSearchPermissionsOptions.ts |   1 +
 .../options/ObjectSearchPermissionsOptions.ts |   9 +-
 frontend/src/views/list/ListObjectsView.vue   |   5 +-
 18 files changed, 411 insertions(+), 39 deletions(-)
 create mode 100644 frontend/src/types/BucketIdpPermission.ts
 create mode 100644 frontend/src/types/COMSObjectIdpPermission.ts
 create mode 100644 frontend/src/types/IdpPermissions.ts

diff --git a/frontend/src/components/bucket/BucketPermission.vue b/frontend/src/components/bucket/BucketPermission.vue
index 9946ff72..f7dc2036 100644
--- a/frontend/src/components/bucket/BucketPermission.vue
+++ b/frontend/src/components/bucket/BucketPermission.vue
@@ -156,7 +156,7 @@ onBeforeMount(async () => {
           aria-labelledby="upload_checkbox"
         />
         <Column
-          field="idpName"
+          field="idp"
           header="Provider"
         />
         <Column
diff --git a/frontend/src/components/bucket/BucketPermissionAddUser.vue b/frontend/src/components/bucket/BucketPermissionAddUser.vue
index c1a84dea..1eaed32d 100644
--- a/frontend/src/components/bucket/BucketPermissionAddUser.vue
+++ b/frontend/src/components/bucket/BucketPermissionAddUser.vue
@@ -13,12 +13,12 @@ const permissionStore = usePermissionStore();
 // Actions
 const onAdd = (selectedUser: User) => {
   const configuredIdp = getConfig.value.idpList.find((idp: IdentityProvider) => idp.idp === selectedUser.idp);
-  const idpName = configuredIdp?.name || 'BCSC';
+  const idp = configuredIdp?.name || 'BCSC';
   const idpElevated = configuredIdp?.elevatedRights || false;
 
   permissionStore.addBucketUser({
     userId: selectedUser.userId,
-    idpName: idpName,
+    idp: idp,
     elevatedRights: idpElevated,
     fullName: selectedUser.fullName,
     create: false,
diff --git a/frontend/src/components/object/ObjectFileDetails.vue b/frontend/src/components/object/ObjectFileDetails.vue
index 50aa728f..294ae9dd 100644
--- a/frontend/src/components/object/ObjectFileDetails.vue
+++ b/frontend/src/components/object/ObjectFileDetails.vue
@@ -50,7 +50,7 @@ const permissionStore = usePermissionStore();
 const tagStore = useTagStore();
 const versionStore = useVersionStore();
 
-const { getUserId } = storeToRefs(useAuthStore());
+const { getProfile, getUserId } = storeToRefs(useAuthStore());
 const { getObject } = storeToRefs(objectStore);
 const {
   getIsDeleted,
@@ -118,21 +118,27 @@ async function onVersionCreated() {
 
 onMounted(async () => {
   const head = await objectStore.headObject(props.objectId);
-
-  // TODO: sync object?
-  await objectStore.fetchObjects({ objectId: props.objectId, userId: getUserId.value, bucketPerms: true });
+  // fetch object and object permissions
+  await objectStore.fetchObjects({
+    objectId: props.objectId,
+    userId: getUserId.value,
+    idp: (getProfile.value as any)?.identity_provider,
+    bucketPerms: true
+  });
   object.value = getObject.value(props.objectId);
   bucketId.value = object.value ? object.value.bucketId : '';
-
-  await permissionStore.fetchBucketPermissions({
-    userId: getUserId.value,
+  // fetch bucket and bucket permissions
+  await bucketStore.fetchBuckets({
     bucketId: bucketId.value,
+    userId: getUserId.value,
+    idp: (getProfile.value as any)?.identity_provider,
     objectPerms: true
   });
   if (
     head?.status !== 204 &&
     !isDeleted.value &&
     (!object.value ||
+      // check for permissions in store
       !permissionStore.isObjectActionAllowed(object.value.id, getUserId.value, Permissions.READ, object.value.bucketId))
   ) {
     router.replace({ name: RouteNames.FORBIDDEN });
diff --git a/frontend/src/components/object/ObjectList.vue b/frontend/src/components/object/ObjectList.vue
index d9894f7b..9bb9e526 100644
--- a/frontend/src/components/object/ObjectList.vue
+++ b/frontend/src/components/object/ObjectList.vue
@@ -90,7 +90,7 @@ const autoSync = async () => {
   const lastSyncDate = new Date(bucket?.lastSyncRequestedDate as string);
   const sinceLastSyncDate = differenceInSeconds(now, lastSyncDate);
 
-  // if havent synced for 24 hrs trigger autoSync
+  // if havent synced for 24 hrs trigger autoSync of JUST this folder level (not recursive)
   if (sinceLastSyncDate > autoMinimum) {
     await bucketStore.syncBucket(props.bucketId, false);
     syncStatus.value = 'Sync in progress';
@@ -180,7 +180,7 @@ onBeforeMount(async () => {
           "
         >
           <SyncButton
-            v-if="bucket && permissionStore.isBucketActionAllowed(bucket.bucketId, getUserId, Permissions.READ)"
+            v-if="bucket && permissionStore.isBucketActionAllowed(bucket.bucketId, getUserId, Permissions.MANAGE)"
             :disabled="syncButtonDisabled"
             :bucket-id="bucket?.bucketId"
             :mode="ButtonMode.BUTTON"
diff --git a/frontend/src/components/object/ObjectTable.vue b/frontend/src/components/object/ObjectTable.vue
index 5532cc90..2a3c9b1c 100644
--- a/frontend/src/components/object/ObjectTable.vue
+++ b/frontend/src/components/object/ObjectTable.vue
@@ -139,6 +139,10 @@ const loadLazyData = (event?: any) => {
         permissionStore.fetchObjectPermissions({
           objectId: objects.map((o: COMSObject) => o.id)
         });
+
+        permissionStore.fetchObjectIdpPermissions({
+          objectId: objects.map((o: COMSObject) => o.id)
+        });
       }
     });
 };
diff --git a/frontend/src/components/object/index.ts b/frontend/src/components/object/index.ts
index a7a9b166..8077fe58 100644
--- a/frontend/src/components/object/index.ts
+++ b/frontend/src/components/object/index.ts
@@ -5,6 +5,7 @@ export { default as DownloadObjectButton } from './DownloadObjectButton.vue';
 export { default as ObjectAccess } from './ObjectAccess.vue';
 export { default as ObjectFileDetails } from './ObjectFileDetails.vue';
 export { default as ObjectFilters } from './ObjectFilters.vue';
+export { default as ObjectIdpPermission } from './ObjectIdpPermission.vue';
 export { default as ObjectList } from './ObjectList.vue';
 export { default as ObjectMetadata } from './ObjectMetadata.vue';
 export { default as ObjectMetadataTagForm } from './ObjectMetadataTagForm.vue';
diff --git a/frontend/src/services/permissionService.ts b/frontend/src/services/permissionService.ts
index 9f64d07d..43fad850 100644
--- a/frontend/src/services/permissionService.ts
+++ b/frontend/src/services/permissionService.ts
@@ -14,8 +14,10 @@ import type {
 const PATH = 'permission';
 const BUCKET = 'bucket';
 const OBJECT = 'object';
+const IDP = 'idp';
 
 export default {
+  // ------ user permissions ------
   /**
    * @function bucketAddPermissions
    * Adds the given permissions to the bucket
@@ -104,5 +106,98 @@ export default {
    */
   objectGetPermissions(objectId: string, params?: ObjectGetPermissionsOptions) {
     return comsAxios().get(`${PATH}/${OBJECT}/${objectId}`, { params: params });
+  },
+
+  // ------ IDP permissions ------
+
+  /**
+   * function bucketAddIdpPermissions
+   * Adds the given permissions to the bucket for the specified IDP
+   * @param bucketId
+   * @param data
+   * @param params
+   * @returns
+   */
+  bucketAddIdpPermissions(bucketId: string, data: any, params = { recursive: false }) {
+    return comsAxios().put(`${PATH}/${IDP}/${BUCKET}/${bucketId}`, data, {
+      params: params
+    });
+  },
+
+  /**
+   * function bucketDeleteIdpPermission
+   * Deletes the given permission from the bucket for the specified IDP
+   * @param bucketId
+   * @param params
+   * @returns
+   */
+  bucketDeleteIdpPermission(bucketId: string, params: any) {
+    return comsAxios().delete(`${PATH}/${IDP}/${BUCKET}/${bucketId}`, {
+      params: params
+    });
+  },
+
+  /**
+   * @function bucketSearchIdpPermissions
+   * Returns a list of buckets and their IDP permissions
+   * @param {BucketSearchPermissionsOptions} params Optional object containing the data to filter against
+   * @returns {Promise} An axios response
+   */
+  bucketSearchIdpPermissions(params?: any) {
+    return comsAxios().get(`${PATH}/${IDP}/${BUCKET}`, { params: params });
+  },
+
+  /**
+   * function bucketGetIdpPermissions
+   * Returns a list of IDP permissions for the bucket
+   * @param bucketId
+   * @param params
+   * @returns
+   */
+  bucketGetIdpPermissions(bucketId: string, params?: any) {
+    return comsAxios().get(`${PATH}/${IDP}/${BUCKET}/${bucketId}`, { params: params });
+  },
+
+  /**
+   * function objectAddIdpPermissions
+   * Adds the given permissions to the object for the specified IDP
+   * @param objectId
+   * @param data
+   * @returns
+   */
+  objectAddIdpPermissions(objectId: string, data: Object) {
+    return comsAxios().put(`${PATH}/${IDP}/${OBJECT}/${objectId}`, data);
+  },
+
+  /**
+   * @function objectDeleteIdpPermission
+   * Deletes the given IDP permission from the object
+   * @param {string} objectId ID of the object to remove permissions from
+   * @param {ObjectDeletePermissionsOptions} params Object containing the permission to remove
+   * @returns {Promise} An axios response
+   */
+  objectDeleteIdpPermission(objectId: string, params: Object) {
+    return comsAxios().delete(`${PATH}/${IDP}/${OBJECT}/${objectId}`, { params: params });
+  },
+
+  /**
+   * @function objectSearchIdpPermissions
+   * Returns a list of IDP object permissions
+   * @param {ObjectSearchPermissionsOptions} params Optional object containing the data to filter against
+   * @returns {Promise} An axios response
+   */
+  objectSearchIdpPermissions(params?: any) {
+    return comsAxios().get(`${PATH}/${IDP}/${OBJECT}`, { params: params });
+  },
+
+  /**
+   * @function objectGetIdpPermissions
+   * Returns a list of IDP permissions for the object
+   * @param {string} objectId ID of the object
+   * @param {ObjectGetPermissionsOptions} params Optional object containing the data to filter against
+   * @returns {Promise} An axios response
+   */
+  objectGetIdpPermissions(objectId: string, params?: Object) {
+    return comsAxios().get(`${PATH}/${IDP}/${OBJECT}/${objectId}`, { params: params });
   }
 };
diff --git a/frontend/src/store/bucketStore.ts b/frontend/src/store/bucketStore.ts
index f8077948..539f6fd1 100644
--- a/frontend/src/store/bucketStore.ts
+++ b/frontend/src/store/bucketStore.ts
@@ -95,8 +95,8 @@ export const useBucketStore = defineStore('bucket', () => {
   /**
    * function does the following in order:
    * - fetches bucket permissions
-   *   (fetchBucketPermissions() also add bucket permissions to the permission store)
-   * - pass bucketId's of buckets with a permission to searchBuckets()
+   * - adds bucket permissions to the permission store
+   * - pass bucketId's (from list of permissions) to searchBuckets()
    * - add buckets to store (skipping existing matches)
    * @param params search parameters
    * @returns an array of matching buckets found
@@ -106,11 +106,21 @@ export const useBucketStore = defineStore('bucket', () => {
       appStore.beginIndeterminateLoading();
 
       // Get a unique list of bucket IDs the user has access to
-      const permResponse = await permissionStore.fetchBucketPermissions(params);
+      // based on user permissions..
+      const permResponse = await permissionStore.fetchBucketPermissions({ ...params, idp: undefined });
+      //  and IDP permissions (if current user's idp is provided in params)
+      const IdpPermResponse = params?.idp
+        ? await permissionStore.fetchBucketIdpPermissions({ ...params, userId: undefined })
+        : undefined;
+
       // if permissions found
-      if (permResponse) {
+      if (permResponse || IdpPermResponse) {
         const uniqueIds: Array<string> = [
-          ...new Set<string>(permResponse.map((x: { bucketId: string }) => x.bucketId))
+          ...new Set<string>(
+            permResponse
+              ?.map((x: { bucketId: string }) => x.bucketId)
+              .concat(IdpPermResponse?.map((x: { bucketId: string }) => x.bucketId) || [])
+          )
         ];
 
         let response = Array<Bucket>();
diff --git a/frontend/src/store/objectStore.ts b/frontend/src/store/objectStore.ts
index 199475cc..d559e01c 100644
--- a/frontend/src/store/objectStore.ts
+++ b/frontend/src/store/objectStore.ts
@@ -144,13 +144,19 @@ export const useObjectStore = defineStore('object', () => {
       appStore.beginIndeterminateLoading();
 
       // Get a unique list of object IDs the user has access to
-      const permResponse = await permissionStore.fetchObjectPermissions(params);
-
-      if (permResponse) {
+      // based on user permissions..
+      const permResponse = await permissionStore.fetchObjectPermissions({ ...params, idp: undefined });
+      //  and IDP permissions (if current user's idp is provided in params)
+      const IdpPermResponse = params?.idp
+        ? await permissionStore.fetchObjectIdpPermissions({ ...params, userId: undefined })
+        : undefined;
+      // if permissions found
+      if (permResponse || IdpPermResponse) {
         const uniqueIds: Array<string> = [
           ...new Set<string>(
             permResponse
-              .map((x: { objectId: string }) => x.objectId)
+              ?.map((x: { objectId: string }) => x.objectId)
+              .concat(IdpPermResponse?.map((x: { objectId: string }) => x.objectId) || [])
               // Resolve API returning all objects with bucketPerms=true even when requesting single objectId
               .filter((objectId: string) => !params.objectId || objectId === params.objectId)
           )
diff --git a/frontend/src/store/permissionStore.ts b/frontend/src/store/permissionStore.ts
index 5bc0aaf8..0d0b3255 100644
--- a/frontend/src/store/permissionStore.ts
+++ b/frontend/src/store/permissionStore.ts
@@ -10,20 +10,30 @@ import { partition } from '@/utils/utils';
 import type { Ref } from 'vue';
 import type {
   BucketPermission,
+  BucketIdpPermission,
   BucketSearchPermissionsOptions,
   COMSObjectPermission,
+  COMSObjectIdpPermission,
   ObjectSearchPermissionsOptions,
   IdentityProvider,
   Permission,
   User,
-  UserPermissions
+  UserPermissions,
+  IdpPermissions
 } from '@/types';
 
 export type PermissionStoreState = {
+  // user permissions
   bucketPermissions: Ref<Array<BucketPermission>>;
   mappedBucketToUserPermissions: Ref<Array<UserPermissions>>;
   mappedObjectToUserPermissions: Ref<Array<UserPermissions>>;
   objectPermissions: Ref<Array<COMSObjectPermission>>;
+  // IDP permissions
+  bucketIdpPermissions: Ref<any>;
+  objectIdpPermissions: Ref<any>;
+  mappedBucketToIdpPermissions: Ref<any>;
+  mappedObjectToIdpPermissions: Ref<any>;
+  // general permissions
   permissions: Ref<Array<Permission>>;
 };
 
@@ -36,15 +46,23 @@ export const usePermissionStore = defineStore('permission', () => {
 
   // State
   const state: PermissionStoreState = {
+    // user permissions
     bucketPermissions: ref([]),
     mappedBucketToUserPermissions: ref([]),
     mappedObjectToUserPermissions: ref([]),
     objectPermissions: ref([]),
+    // IDP permissions
+    bucketIdpPermissions: ref([]),
+    objectIdpPermissions: ref([]),
+    mappedBucketToIdpPermissions: ref([]),
+    mappedObjectToIdpPermissions: ref([]),
+    // general permissions
     permissions: ref([])
   };
 
   // Getters
   const getters = {
+    // User permissions
     getBucketPermissions: computed(() => state.bucketPermissions.value),
     getMappedBucketToUserPermissions: computed(() => state.mappedBucketToUserPermissions.value),
     getMappedObjectToUserPermissions: computed(() => state.mappedObjectToUserPermissions.value),
@@ -57,7 +75,22 @@ export const usePermissionStore = defineStore('permission', () => {
       });
       return op.concat(bp);
     }),
+
+    // IDP permissions
+    getMappedBucketToIdpPermissions: computed(() => state.mappedBucketToIdpPermissions.value),
+    getMappedObjectToIdpPermissions: computed(() => state.mappedObjectToIdpPermissions.value),
+    getMappedObjectAndBucketToIdpPermissions: computed(() => {
+      const op = state.mappedObjectToIdpPermissions.value.map((o: any) => {
+        return { ...o, resource: 'object' };
+      });
+      const bp = state.mappedBucketToIdpPermissions.value.map((b: any) => {
+        return { ...b, resource: 'bucket' };
+      });
+      return op.concat(bp);
+    }),
     getObjectPermissions: computed(() => state.objectPermissions.value),
+
+    // General permissions
     getPermissions: computed(() => state.permissions.value)
   };
 
@@ -97,6 +130,33 @@ export const usePermissionStore = defineStore('permission', () => {
     }
   }
 
+  async function addBucketIdpPermission(bucketId: string, idp: string, permCode: string): Promise<void> {
+    try {
+      appStore.beginIndeterminateLoading();
+      // note: permission changes always cascade to subfolders for which current user has MANAGE permission
+      await permissionService.bucketAddIdpPermissions(bucketId, [{ idp, permCode }], { recursive: true });
+    } catch (error: any) {
+      toast.error('Adding bucket IDP permission', error.response?.data.detail ?? error, { life: 0 });
+    } finally {
+      await fetchBucketIdpPermissions({ bucketId: bucketId });
+      await mapBucketToIdpPermissions(bucketId);
+      appStore.endIndeterminateLoading();
+    }
+  }
+
+  async function addObjectIdpPermission(objectId: string, idp: string, permCode: string): Promise<void> {
+    try {
+      appStore.beginIndeterminateLoading();
+      await permissionService.objectAddIdpPermissions(objectId, [{ idp, permCode }]);
+    } catch (error: any) {
+      toast.error('Adding object IDP permission', error.response?.data.detail ?? error, { life: 0 });
+    } finally {
+      await fetchObjectIdpPermissions({ objectId: objectId });
+      await mapObjectToIdpPermissions(objectId);
+      appStore.endIndeterminateLoading();
+    }
+  }
+
   function addObjectUser(user: UserPermissions): void {
     try {
       getters.getMappedObjectToUserPermissions.value.push(user);
@@ -132,6 +192,33 @@ export const usePermissionStore = defineStore('permission', () => {
     }
   }
 
+  async function deleteBucketIdpPermission(bucketId: string, idp: string, permCode: string): Promise<void> {
+    try {
+      appStore.beginIndeterminateLoading();
+      // note: permission changes always cascade to subfolders for which current user has MANAGE permission
+      await permissionService.bucketDeleteIdpPermission(bucketId, { idp, permCode, recursive: true });
+    } catch (error: any) {
+      toast.error('Deleting bucket IDP permission', error.response?.data.detail ?? error, { life: 0 });
+    } finally {
+      await fetchBucketPermissions({ bucketId: bucketId });
+      await mapBucketToIdpPermissions(bucketId);
+      appStore.endIndeterminateLoading();
+    }
+  }
+
+  async function deleteObjectIdpPermission(objectId: string, idp: string, permCode: string): Promise<void> {
+    try {
+      appStore.beginIndeterminateLoading();
+      await permissionService.objectDeleteIdpPermission(objectId, { idp, permCode });
+    } catch (error: any) {
+      toast.error('Deleting object IDP permission', error.response?.data.detail ?? error, { life: 0 });
+    } finally {
+      await fetchObjectPermissions({ objectId: objectId });
+      await mapObjectToIdpPermissions(objectId);
+      appStore.endIndeterminateLoading();
+    }
+  }
+
   async function fetchBucketPermissions(
     params: BucketSearchPermissionsOptions = {}
   ): Promise<Array<BucketPermission> | void> {
@@ -186,21 +273,37 @@ export const usePermissionStore = defineStore('permission', () => {
   }
 
   function isBucketActionAllowed(bucketId: string, userId?: string, permCode?: string): boolean {
-    return state.bucketPermissions.value.some(
+    // check user permissions
+    const userPerm = state.bucketPermissions.value.some(
       (x: BucketPermission) => x.bucketId === bucketId && x.userId === userId && x.permCode === permCode
     );
+    // check idp permissions
+    const idp = getProfile.value?.identity_provider;
+    const idpPerm = state.bucketIdpPermissions.value.some(
+      (x: BucketIdpPermission) => x.bucketId === bucketId && x.idp === idp && x.permCode === permCode
+    );
+
+    return userPerm || idpPerm;
   }
 
   function isObjectActionAllowed(objectId: string, userId?: string, permCode?: string, bucketId?: string): boolean {
-    const bucketPerm = state.bucketPermissions.value.some(
+    // check user permissions
+    const bucketUserPerm = state.bucketPermissions.value.some(
       (x: BucketPermission) => x.bucketId === bucketId && x.userId === userId && x.permCode === permCode
     );
-
-    const objectPerm = state.objectPermissions.value.some(
+    const objectUserPerm = state.objectPermissions.value.some(
       (x: COMSObjectPermission) => x.objectId === objectId && x.userId === userId && x.permCode === permCode
     );
+    // check idp permissions
+    const idp = getProfile.value?.identity_provider;
+    const bucketIdpPerm = state.bucketIdpPermissions.value.some(
+      (x: BucketIdpPermission) => x.bucketId === bucketId && x.idp === idp && x.permCode === permCode
+    );
+    const objectIdpPerm = state.objectIdpPermissions.value.some(
+      (x: COMSObjectIdpPermission) => x.objectId === objectId && x.idp === idp && x.permCode === permCode
+    );
 
-    return bucketPerm || objectPerm;
+    return bucketUserPerm || objectUserPerm || bucketIdpPerm || objectIdpPerm;
   }
 
   function isUserElevatedRights(): boolean {
@@ -226,12 +329,12 @@ export const usePermissionStore = defineStore('permission', () => {
       uniqueUsers.forEach((user: User) => {
         const configuredIdp = getConfig.value.idpList.find((idp: IdentityProvider) => idp.idp === user.idp);
         // If IDP is not specified in our IDP list config, assume it's BC Services Card
-        const idpName = configuredIdp?.name || 'BCSC';
+        const idp = configuredIdp?.name || 'BCSC';
         const idpElevated = configuredIdp?.elevatedRights || false;
 
         userPermissions.push({
           userId: user.userId,
-          idpName: idpName,
+          idp: idp,
           elevatedRights: idpElevated,
           fullName: user.fullName,
           create: hasPermission(user.userId, Permissions.CREATE),
@@ -265,12 +368,12 @@ export const usePermissionStore = defineStore('permission', () => {
       uniqueUsers.forEach((user: User) => {
         const configuredIdp = getConfig.value.idpList.find((idp: IdentityProvider) => idp.idp === user.idp);
         // If IDP is not specified in our IDP list config, assume it's BC Services Card
-        const idpName = configuredIdp?.name || 'BCSC';
+        const idp = configuredIdp?.name || 'BCSC';
         const idpElevated = configuredIdp?.elevatedRights || false;
 
         userPermissions.push({
           userId: user.userId,
-          idpName: idpName,
+          idp: idp,
           elevatedRights: idpElevated,
           fullName: user.fullName,
           create: hasPermission(user.userId, Permissions.CREATE),
@@ -289,6 +392,115 @@ export const usePermissionStore = defineStore('permission', () => {
     }
   }
 
+  async function fetchBucketIdpPermissions(params: any = {}): Promise<Array<any> | void> {
+    try {
+      appStore.beginIndeterminateLoading();
+
+      const response = (await permissionService.bucketSearchIdpPermissions(params)).data;
+      const newPerms: Array<any> = response.flatMap((x: any) => x.permissions);
+
+      // patch bucketPermissions state with latest perms from COMS
+      const matches = (x: any) =>
+        (!params.bucketId || x.bucketId === params.bucketId) &&
+        (!params.idp || x.idp === params.idp) &&
+        (!params.permCode || x.permCode === params.permCode);
+      const [, difference] = partition(state.bucketIdpPermissions.value, matches);
+      state.bucketIdpPermissions.value = difference.concat(newPerms);
+
+      // Pass response back so bucketStore can handle bucketPerms=true correctly
+      return response;
+    } catch (error: any) {
+      toast.error('Fetching bucket IDP permissions', error.response?.data.detail ?? error, { life: 0 });
+    } finally {
+      appStore.endIndeterminateLoading();
+    }
+  }
+
+  async function fetchObjectIdpPermissions(params: any = {}): Promise<Array<any> | undefined> {
+    try {
+      appStore.beginIndeterminateLoading();
+
+      const response = (await permissionService.objectSearchIdpPermissions(params)).data;
+
+      const newPerms: Array<any> = response.flatMap((x: any) => x.permissions);
+
+      // patch objectPermissions state with latest perms from COMS
+      const matches = (x: any) =>
+        (!params.objectId || x.objectId === params.objectId) &&
+        (!params.idp || x.idp === params.idp) &&
+        (!params.permCode || x.permCode === params.permCode);
+      const [, difference] = partition(state.objectIdpPermissions.value, matches);
+      state.objectIdpPermissions.value = difference.concat(newPerms);
+
+      // Pass response back so objectStore can handle bucketPerms=true correctly
+      return response;
+    } catch (error: any) {
+      toast.error('Fetching object permissions', error.response?.data.detail ?? error, { life: 0 });
+    } finally {
+      appStore.endIndeterminateLoading();
+    }
+  }
+
+  async function mapBucketToIdpPermissions(bucketId: string): Promise<void> {
+    try {
+      appStore.beginIndeterminateLoading();
+      const bucketPerms = state.bucketIdpPermissions.value.filter((x: any) => x.bucketId === bucketId);
+      const uniqueIdpNames = [...new Set(bucketPerms.map((x: any) => x.idp))];
+
+      const hasPermission = (idp: string, permission: string) => {
+        return bucketPerms.some((perm: any) => perm.idp === idp && perm.permCode === permission);
+      };
+
+      const IdpPermissions: IdpPermissions[] = [];
+      uniqueIdpNames.forEach((idp: any) => {
+        IdpPermissions.push({
+          idp: idp,
+          create: hasPermission(idp, Permissions.CREATE),
+          read: hasPermission(idp, Permissions.READ),
+          update: hasPermission(idp, Permissions.UPDATE),
+          delete: hasPermission(idp, Permissions.DELETE),
+          manage: hasPermission(idp, Permissions.MANAGE)
+        });
+      });
+
+      state.mappedBucketToIdpPermissions.value = IdpPermissions;
+    } catch (error: any) {
+      toast.error('Mapping bucket permissions to IDP permissions', error.response?.data.detail ?? error, { life: 0 });
+    } finally {
+      appStore.endIndeterminateLoading();
+    }
+  }
+
+  async function mapObjectToIdpPermissions(objectId: string): Promise<void> {
+    try {
+      appStore.beginIndeterminateLoading();
+      const objectPerms = state.objectIdpPermissions.value.filter((x: any) => x.objectId === objectId);
+      const uniqueIdpNames = [...new Set(objectPerms.map((x: any) => x.idp))];
+
+      const hasPermission = (idp: string, permission: string) => {
+        return objectPerms.some((perm: any) => perm.idp === idp && perm.permCode === permission);
+      };
+
+      const idpPermissions: IdpPermissions[] = [];
+      uniqueIdpNames.forEach((idp: any) => {
+        idpPermissions.push({
+          idp: idp,
+          create: hasPermission(idp, Permissions.CREATE),
+          read: hasPermission(idp, Permissions.READ),
+          update: hasPermission(idp, Permissions.UPDATE),
+          delete: hasPermission(idp, Permissions.DELETE),
+          manage: hasPermission(idp, Permissions.MANAGE)
+        });
+      });
+
+      state.mappedObjectToIdpPermissions.value = idpPermissions;
+    } catch (error: any) {
+      toast.error('Mapping object permissions to IDP permissions', error.response?.data.detail ?? error, { life: 0 });
+    } finally {
+      appStore.endIndeterminateLoading();
+    }
+  }
+
   async function removeBucketUser(bucketId: string, userId: string): Promise<void> {
     try {
       appStore.beginIndeterminateLoading();
@@ -358,7 +570,15 @@ export const usePermissionStore = defineStore('permission', () => {
     mapBucketToUserPermissions,
     mapObjectToUserPermissions,
     removeBucketUser,
-    removeObjectUser
+    removeObjectUser,
+    addBucketIdpPermission,
+    addObjectIdpPermission,
+    fetchObjectIdpPermissions,
+    fetchBucketIdpPermissions,
+    deleteBucketIdpPermission,
+    deleteObjectIdpPermission,
+    mapBucketToIdpPermissions,
+    mapObjectToIdpPermissions
   };
 });
 
diff --git a/frontend/src/types/BucketIdpPermission.ts b/frontend/src/types/BucketIdpPermission.ts
new file mode 100644
index 00000000..2e2cd2a3
--- /dev/null
+++ b/frontend/src/types/BucketIdpPermission.ts
@@ -0,0 +1,8 @@
+import type { IAudit } from '@/interfaces';
+
+export type BucketIdpPermission = {
+  bucketId: string;
+  id: string;
+  permCode: string;
+  idp: string;
+} & IAudit;
diff --git a/frontend/src/types/COMSObjectIdpPermission.ts b/frontend/src/types/COMSObjectIdpPermission.ts
new file mode 100644
index 00000000..863ad000
--- /dev/null
+++ b/frontend/src/types/COMSObjectIdpPermission.ts
@@ -0,0 +1,8 @@
+import type { IAudit } from '@/interfaces';
+
+export type COMSObjectIdpPermission = {
+  id: string;
+  objectId: string;
+  permCode: string;
+  idp: string;
+} & IAudit;
diff --git a/frontend/src/types/IdpPermissions.ts b/frontend/src/types/IdpPermissions.ts
new file mode 100644
index 00000000..515c5cd7
--- /dev/null
+++ b/frontend/src/types/IdpPermissions.ts
@@ -0,0 +1,8 @@
+export type IdpPermissions = {
+  idp: string;
+  create?: boolean;
+  read: boolean;
+  update: boolean;
+  delete: boolean;
+  manage: boolean;
+};
diff --git a/frontend/src/types/UserPermissions.ts b/frontend/src/types/UserPermissions.ts
index 2c983114..41e5e95a 100644
--- a/frontend/src/types/UserPermissions.ts
+++ b/frontend/src/types/UserPermissions.ts
@@ -1,6 +1,6 @@
 export type UserPermissions = {
   userId: string;
-  idpName?: string;
+  idp?: string;
   elevatedRights?: boolean;
   fullName: string;
   create?: boolean;
diff --git a/frontend/src/types/index.ts b/frontend/src/types/index.ts
index 6bac653d..8d800dd2 100644
--- a/frontend/src/types/index.ts
+++ b/frontend/src/types/index.ts
@@ -3,7 +3,10 @@ export type { BucketPermission } from './BucketPermission';
 export type { BucketTreeNode, BucketTreeNodeData } from './BucketTreeNode';
 export type { COMSObject } from './COMSObject';
 export type { COMSObjectPermission } from './COMSObjectPermission';
+export type { COMSObjectIdpPermission } from './COMSObjectIdpPermission';
 export type { IdentityProvider } from './IdentityProvider';
+export type { IdpPermissions } from './IdpPermissions';
+export type { BucketIdpPermission } from './BucketIdpPermission';
 export type { InviteCreateOptions } from './InviteCreateOptions';
 export type { Metadata } from './Metadata';
 export type { MetadataPair } from './MetadataPair';
diff --git a/frontend/src/types/options/BucketSearchPermissionsOptions.ts b/frontend/src/types/options/BucketSearchPermissionsOptions.ts
index da96a983..653f2214 100644
--- a/frontend/src/types/options/BucketSearchPermissionsOptions.ts
+++ b/frontend/src/types/options/BucketSearchPermissionsOptions.ts
@@ -3,4 +3,5 @@ export type BucketSearchPermissionsOptions = {
   objectPerms?: boolean;
   permCode?: string;
   userId?: string;
+  idp?: string;
 };
diff --git a/frontend/src/types/options/ObjectSearchPermissionsOptions.ts b/frontend/src/types/options/ObjectSearchPermissionsOptions.ts
index f04a793d..e0926dd4 100644
--- a/frontend/src/types/options/ObjectSearchPermissionsOptions.ts
+++ b/frontend/src/types/options/ObjectSearchPermissionsOptions.ts
@@ -4,8 +4,9 @@ export type ObjectSearchPermissionsOptions = {
   objectId?: string | Array<string>;
   permCode?: string;
   userId?: string;
-  limit?: number,
-  sort?: string,
-  order?: string,
-  page?: number
+  idp?: string;
+  limit?: number;
+  sort?: string;
+  order?: string;
+  page?: number;
 };
diff --git a/frontend/src/views/list/ListObjectsView.vue b/frontend/src/views/list/ListObjectsView.vue
index 2c29deb3..bf765b32 100644
--- a/frontend/src/views/list/ListObjectsView.vue
+++ b/frontend/src/views/list/ListObjectsView.vue
@@ -26,7 +26,7 @@ const props = withDefaults(defineProps<Props>(), {
 
 // Store
 const bucketStore = useBucketStore();
-const { getUserId, getIsAuthenticated } = storeToRefs(useAuthStore());
+const { getProfile, getUserId, getIsAuthenticated } = storeToRefs(useAuthStore());
 const permissionStore = usePermissionStore();
 const toast = useToast();
 const { focusedElement } = storeToRefs(useNavStore());
@@ -97,13 +97,14 @@ onErrorCaptured((e: Error) => {
 onBeforeMount(async () => {
   const router = useRouter();
 
-  // fetch bucket; populate bucket and permissions in store
   let bucketResponse: any = [];
   if (props?.bucketId) {
+    // if logged in, fetch bucket; populate bucket and permissions in store
     if (getIsAuthenticated.value) {
       bucketResponse = await bucketStore.fetchBuckets({
         bucketId: props.bucketId,
         userId: getUserId.value,
+        idp: (getProfile.value as any)?.identity_provider,
         objectPerms: true
       });
     } else {

From 834692e2f210dd6406d92609ddc226d67c076871 Mon Sep 17 00:00:00 2001
From: Csaky <tim.csaky@gov.bc.ca>
Date: Fri, 6 Mar 2026 16:58:54 -0800
Subject: [PATCH 2/6] Controls for Internal Only sharing Toggle for folder/file
 'internal only' setting 'internal' annotation added

---
 frontend/src/assets/main.scss                 |  15 ++
 .../src/components/bucket/BucketIdpToggle.vue | 138 ++++++++++++++++
 frontend/src/components/bucket/BucketList.vue |  10 +-
 .../components/bucket/BucketPermission.vue    |  26 ++-
 .../src/components/bucket/BucketTable.vue     |  20 +++
 frontend/src/components/bucket/index.ts       |   2 +
 .../components/object/ObjectFileDetails.vue   |  13 ++
 .../src/components/object/ObjectIdpToggle.vue | 125 +++++++++++++++
 frontend/src/components/object/ObjectList.vue |   9 +-
 .../components/object/ObjectPermission.vue    |  29 +++-
 .../src/components/object/ObjectTable.vue     |  49 ++++--
 frontend/src/components/object/index.ts       |   2 +-
 frontend/src/store/bucketStore.ts             |   2 +-
 frontend/src/store/permissionStore.ts         | 151 ++++++------------
 frontend/src/views/list/ListObjectsView.vue   |  22 +++
 15 files changed, 477 insertions(+), 136 deletions(-)
 create mode 100644 frontend/src/components/bucket/BucketIdpToggle.vue
 create mode 100644 frontend/src/components/object/ObjectIdpToggle.vue

diff --git a/frontend/src/assets/main.scss b/frontend/src/assets/main.scss
index af54a33f..1dd2ac32 100644
--- a/frontend/src/assets/main.scss
+++ b/frontend/src/assets/main.scss
@@ -271,6 +271,21 @@ div:focus-visible {
   }
 }
 
+.p-tag-info {
+  background-color: rgb(224, 242, 254);
+  outline-style: solid;
+  outline-color: $bcbox-primary;
+  outline-width: thin;
+
+  .p-tag-value {
+    color: $bcbox-primary;
+  }
+
+  .p-tag-icon {
+    color: $bcbox-primary
+  }
+}
+
 /* datatable */
 .p-datatable,
 .p-treetable {
diff --git a/frontend/src/components/bucket/BucketIdpToggle.vue b/frontend/src/components/bucket/BucketIdpToggle.vue
new file mode 100644
index 00000000..bb1338d2
--- /dev/null
+++ b/frontend/src/components/bucket/BucketIdpToggle.vue
@@ -0,0 +1,138 @@
+<script setup lang="ts">
+import { computed, onMounted, ref, watch } from 'vue';
+
+import { InputSwitch, useConfirm, useToast } from '@/lib/primevue';
+import { usePermissionStore } from '@/store';
+import { Permissions } from '@/utils/constants';
+
+import type { Ref } from 'vue';
+
+// Props
+type Props = {
+  bucketId: string;
+  bucketName: string;
+  bucketPublic: boolean;
+  userId: string;
+};
+
+const props = withDefaults(defineProps<Props>(), {});
+
+// Store
+const permissionStore = usePermissionStore();
+
+// State
+const isInternal: Ref<boolean> = ref(false);
+const fetchBucketInternal = async (): Promise<boolean> => {
+  const bucketIdpPermissions = await permissionStore.fetchBucketIdpPermissions({
+    bucketId: props.bucketId,
+    permCode: 'READ',
+    idp: 'idir'
+  });
+  const hasPerms = (bucketIdpPermissions?.length ?? 0) > 0;
+
+  return hasPerms || props.bucketPublic;
+};
+
+// check bucket for the IDP permission
+const isBucketInternal: Ref<boolean> = ref(false);
+const isParentBucketInternal: Ref<boolean> = ref(false);
+const fetchParentBucketInternal = async (): Promise<boolean> => {
+  const bucketIdpPermissions = await permissionStore.fetchBucketIdpPermissions({
+    bucketId: props.bucketId,
+    permCode: 'READ',
+    idp: 'idir'
+  });
+  return (bucketIdpPermissions?.length ?? 0) > 0;
+};
+
+const isToggleEnabled = computed(() => {
+  return (
+    !isBucketInternal.value &&
+    !props.bucketPublic &&
+    usePermissionStore().isUserElevatedRights() &&
+    permissionStore.isBucketActionAllowed(props.bucketId, props.userId, Permissions.MANAGE)
+  );
+});
+
+// Actions
+const toast = useToast();
+const confirm = useConfirm();
+
+const toggleIdp = async (value: boolean) => {
+  if (value) {
+    confirm.require({
+      message: "Setting this file to 'Internal only' will allow all IDIR users " + 'to view and download it.',
+      header: 'Set file to Internal only?',
+      acceptLabel: 'Set to Internal only',
+      rejectLabel: 'Cancel',
+      accept: () => {
+        permissionStore
+          .addBucketIdpPermission(props.bucketId, 'idir', 'READ')
+          .then(() => {
+            isInternal.value = true;
+            toast.success('File set to Internal only', `"${props.bucketName}" is now Internal only`);
+          })
+          .catch((e) => toast.error('Setting file to Internal only failed', e.response?.data.detail, { life: 0 }));
+      },
+      reject: () => (isInternal.value = false),
+      onHide: () => (isInternal.value = false)
+    });
+  } else
+    confirm.require({
+      message:
+        "Setting this file to private will remove 'Internal only' access. " +
+        'Only users with permissions will be able to view or download the file.',
+      header: 'Set file to private?',
+      acceptLabel: 'Set to private',
+      rejectLabel: 'Cancel',
+      accept: () => {
+        permissionStore
+          .deleteBucketIdpPermission(props.bucketId, 'idir', 'READ')
+          .then(() => {
+            isInternal.value = false;
+            toast.success('File set to private', `"${props.bucketName}" is no longer 'Internal only'`);
+          })
+          .catch((e) => toast.error('Setting file to private failed', e.response?.data.detail, { life: 0 }));
+      },
+      reject: () => (isInternal.value = true),
+      onHide: () => (isInternal.value = true)
+    });
+};
+
+onMounted(async () => {
+  isInternal.value = await fetchBucketInternal();
+  isParentBucketInternal.value = await fetchParentBucketInternal();
+});
+
+watch(props, () => {
+  if (props.bucketPublic === true) isInternal.value = true;
+  else {
+    const perms = permissionStore.getBucketIdpPermissions.filter(
+      (p: any) => p.permCode === Permissions.READ && p.bucketId === props.bucketId && p.idp === 'idir'
+    );
+    if (perms.length > 0) isInternal.value = true;
+    else {
+      isInternal.value = false;
+    }
+  }
+});
+</script>
+
+<template>
+  <span
+    v-tooltip="
+      isToggleEnabled
+        ? ''
+        : props.bucketPublic
+          ? 'Enabled by Public Sharing'
+          : 'Change the folder\'s \'Internal only\' setting to update this file'
+    "
+  >
+    <InputSwitch
+      :model-value="isInternal"
+      aria-label="Toggle to make file Internl only"
+      :disabled="!isToggleEnabled"
+      @update:model-value="toggleIdp($event)"
+    />
+  </span>
+</template>
diff --git a/frontend/src/components/bucket/BucketList.vue b/frontend/src/components/bucket/BucketList.vue
index efe7ccca..e463cbd2 100644
--- a/frontend/src/components/bucket/BucketList.vue
+++ b/frontend/src/components/bucket/BucketList.vue
@@ -43,7 +43,11 @@ const closeBucketConfig = () => {
 };
 
 onMounted(async () => {
-  await bucketStore.fetchBuckets({ userId: getUserId.value, objectPerms: true });
+  await bucketStore.fetchBuckets({
+    userId: getUserId.value,
+    idp: 'idir',
+    objectPerms: true
+  });
 });
 </script>
 
@@ -103,7 +107,7 @@ onMounted(async () => {
           {{ bucketConfigTitle }}
         </h3>
 
-        <!-- <Message severity="warn">
+        <Message severity="warn">
           If you intend to share files in your bucket with BCeID or BC Services Card users, please notify
           <a href="mailto:IDIM.Consulting@gov.bc.ca">IDIM.Consulting@gov.bc.ca</a>
           that you plan to use BCBox.
@@ -119,7 +123,7 @@ onMounted(async () => {
           </a>
           (Natural Resource ministries) or your ministry's service desk if you need help with &quot;bucket&quot; storage
           location sources.
-        </Message> -->
+        </Message>
 
         <BucketConfigForm
           :bucket="bucketToUpdate"
diff --git a/frontend/src/components/bucket/BucketPermission.vue b/frontend/src/components/bucket/BucketPermission.vue
index f7dc2036..b7af6a2c 100644
--- a/frontend/src/components/bucket/BucketPermission.vue
+++ b/frontend/src/components/bucket/BucketPermission.vue
@@ -3,7 +3,7 @@ import { storeToRefs } from 'pinia';
 import { computed, onBeforeMount, ref } from 'vue';
 import { FontAwesomeIcon } from '@fortawesome/vue-fontawesome';
 
-import BucketPublicToggle from '@/components/bucket/BucketPublicToggle.vue';
+import { BucketPublicToggle, BucketIdpToggle } from '@/components/bucket';
 import BucketPermissionAddUser from '@/components/bucket/BucketPermissionAddUser.vue';
 import { BulkPermission } from '@/components/common';
 import { useAlert } from '@/composables/useAlert';
@@ -82,16 +82,15 @@ onBeforeMount(async () => {
 <template>
   <TabView>
     <TabPanel header="Manage permissions">
+      <h3>Sharing Access</h3>
       <!-- public toggle -->
       <div class="flex pb-3">
         <div class="flex-grow-1">
           <div class="pb-1">
-            <h3>Set to public</h3>
+            <h4>Set to public</h4>
             <p>
-              Making a folder
-              <strong>public</strong>
-              means that all files within it, including those in any subfolders, can be accessed by anyone without
-              requiring authentication.
+              Enabling this shares all files and subfolders. Anyone with the link can view the content without signing
+              in.
             </p>
           </div>
         </div>
@@ -104,6 +103,21 @@ onBeforeMount(async () => {
           :user-id="getUserId"
         />
       </div>
+
+      <div class="flex flex-row pb-3">
+        <div class="flex-grow-1">
+          <h4 class="pb-1">Internl only</h4>
+          <p>Allow all IDIR users to view this flder and its content</p>
+        </div>
+        <BucketIdpToggle
+          v-if="bucket && getUserId"
+          :bucket-id="bucket.bucketId"
+          :bucket-name="bucket.bucketName"
+          :bucket-public="bucket.public"
+          :user-id="getUserId"
+        />
+      </div>
+
       <h3>User Permissions</h3>
       <!-- user search -->
       <div v-if="!showSearchUsers">
diff --git a/frontend/src/components/bucket/BucketTable.vue b/frontend/src/components/bucket/BucketTable.vue
index b1ef82ef..603b11ed 100644
--- a/frontend/src/components/bucket/BucketTable.vue
+++ b/frontend/src/components/bucket/BucketTable.vue
@@ -58,6 +58,15 @@ const getBucketPublicStatus = computed(() => {
   };
 });
 
+const getInternalStatus = computed(() => {
+  return (node: BucketTreeNode): boolean => {
+    if (node.data.bucketId) {
+      return permissionStore.getBucketInternal(node.data.bucketId);
+    }
+    return false;
+  };
+});
+
 const emit = defineEmits(['show-bucket-config', 'show-sidebar-info']);
 
 // Actions
@@ -337,6 +346,17 @@ watch(getBuckets, () => {
             icon="pi pi-info-circle"
             class="public-folder"
           />
+
+          <Tag
+            v-if="!getBucketPublicStatus(node) && getInternalStatus(node)"
+            v-tooltip="'Contents of this Folder can be read by anyone internal to government.'"
+            value="Internal"
+            severity="info"
+            rounded
+            icon="pi pi-info-circle"
+            class="ml-2 mb-1 min-w-100"
+          />
+
           <BucketChildConfig
             v-if="permissionStore.isBucketActionAllowed(node.data.bucketId, getUserId, Permissions.CREATE)"
             :parent-bucket="node.data"
diff --git a/frontend/src/components/bucket/index.ts b/frontend/src/components/bucket/index.ts
index 04257c05..e4ac95d6 100644
--- a/frontend/src/components/bucket/index.ts
+++ b/frontend/src/components/bucket/index.ts
@@ -3,6 +3,8 @@ export { default as BucketConfigForm } from './BucketConfigForm.vue';
 export { default as BucketList } from './BucketList.vue';
 export { default as BucketPermission } from './BucketPermission.vue';
 export { default as BucketPermissionAddUser } from './BucketPermissionAddUser.vue';
+export { default as BucketPublicToggle } from './BucketPublicToggle.vue';
+export { default as BucketIdpToggle } from './BucketIdpToggle.vue';
 export { default as BucketSidebar } from './BucketSidebar.vue';
 export { default as BucketTable } from './BucketTable.vue';
 export { default as BucketTableBucketName } from './BucketTableBucketName.vue';
diff --git a/frontend/src/components/object/ObjectFileDetails.vue b/frontend/src/components/object/ObjectFileDetails.vue
index 294ae9dd..1b73557e 100644
--- a/frontend/src/components/object/ObjectFileDetails.vue
+++ b/frontend/src/components/object/ObjectFileDetails.vue
@@ -65,6 +65,8 @@ const object: Ref<COMSObject | undefined> = ref(undefined);
 const bucketId: Ref<string> = ref('');
 const permissionsVisible: Ref<boolean> = ref(false);
 
+const isInternal = computed(() => permissionStore.getInternal(object.value));
+
 // version stuff
 const bucketVersioningEnabled = computed(() => getIsVersioningEnabled.value(props.objectId));
 const currentVersionId: Ref<string | undefined> = ref(props.versionId);
@@ -170,6 +172,17 @@ onMounted(async () => {
               rounded
               icon="pi pi-info-circle"
             />
+            <Tag
+              v-else-if="isInternal"
+              v-tooltip="
+                'This folder and its contents can be read by anyone internal to government. ' +
+                'Change the settings in &quot;Folder permissions.&quot;'
+              "
+              value="Internal"
+              severity="info"
+              rounded
+              icon="pi pi-info-circle"
+            />
           </span>
         </div>
 
diff --git a/frontend/src/components/object/ObjectIdpToggle.vue b/frontend/src/components/object/ObjectIdpToggle.vue
new file mode 100644
index 00000000..ba2c8e31
--- /dev/null
+++ b/frontend/src/components/object/ObjectIdpToggle.vue
@@ -0,0 +1,125 @@
+<script setup lang="ts">
+import { computed, onMounted } from 'vue';
+
+import { InputSwitch, useConfirm, useToast } from '@/lib/primevue';
+import { useBucketStore, usePermissionStore } from '@/store';
+import { Permissions } from '@/utils/constants';
+
+import type { Ref } from 'vue';
+
+// Props
+type Props = {
+  bucketId: string;
+  objectId: string;
+  objectName: string;
+  objectPublic: boolean;
+  userId: string;
+};
+
+const props = withDefaults(defineProps<Props>(), {});
+
+// ---- State:
+const permissionStore = usePermissionStore();
+const bucketStore = useBucketStore();
+
+// has object IDP permission
+const isObjectInternal = computed(() => permissionStore.getObjectInternal(props.objectId));
+// has bucket IDP permission
+const isBucketInternal = computed(() => permissionStore.getBucketInternal(props.bucketId));
+// is public
+const isPublic: Ref<boolean> = computed(() => {
+  const bucketIsPublic = bucketStore.getBucket(props.bucketId)?.public ?? false;
+  return bucketIsPublic || props.objectPublic;
+});
+
+// value for toggle
+const switchVal: Ref<boolean> = computed(() => {
+  return isObjectInternal.value || isBucketInternal.value || isPublic.value;
+});
+
+const isToggleEnabled = computed(() => {
+  return (
+    !isBucketInternal.value &&
+    !isPublic.value &&
+    usePermissionStore().isUserElevatedRights() &&
+    permissionStore.isObjectActionAllowed(props.objectId, props.userId, Permissions.MANAGE, props.bucketId as string)
+  );
+});
+
+// Actions
+const toast = useToast();
+const confirm = useConfirm();
+
+const toggleIdp = async (value: boolean) => {
+  if (value) {
+    confirm.require({
+      message: "Setting this file to 'Internal only' will allow all IDIR users " + 'to view and download it.',
+      header: 'Set file to Internal only?',
+      acceptLabel: 'Set to Internal only',
+      rejectLabel: 'Cancel',
+      accept: () => {
+        permissionStore
+          .addObjectIdpPermission(props.objectId, 'idir', 'READ')
+          .then(() => {
+            switchVal.value = true;
+            toast.success('File set to Internal only', `"${props.objectName}" is now Internal only`);
+          })
+          .catch((e) => toast.error('Setting file to Internal only failed', e.response?.data.detail, { life: 0 }));
+      },
+      reject: () => (switchVal.value = false),
+      onHide: () => (switchVal.value = false)
+    });
+  } else
+    confirm.require({
+      message:
+        "Setting this file to private will remove 'Internal only' access. " +
+        'Only users with permissions will be able to view or download the file.',
+      header: 'Set file to private?',
+      acceptLabel: 'Set to private',
+      rejectLabel: 'Cancel',
+      accept: () => {
+        permissionStore
+          .deleteObjectIdpPermission(props.objectId, 'idir', 'READ')
+          .then(() => {
+            switchVal.value = false;
+            toast.success('File set to private', `"${props.objectName}" is no longer 'Internal only'`);
+          })
+          .catch((e) => toast.error('Setting file to private failed', e.response?.data.detail, { life: 0 }));
+      },
+      reject: () => (switchVal.value = true),
+      onHide: () => (switchVal.value = true)
+    });
+};
+
+onMounted(async () => {
+  await permissionStore.fetchObjectIdpPermissions({
+    objectId: props.objectId,
+    permCode: 'READ',
+    idp: 'idir'
+  });
+  await permissionStore.fetchBucketIdpPermissions({
+    bucketId: props.bucketId,
+    permCode: 'READ',
+    idp: 'idir'
+  });
+});
+</script>
+
+<template>
+  <span
+    v-tooltip="
+      isToggleEnabled
+        ? ''
+        : isPublic
+          ? 'Enabled by Public Sharing'
+          : 'Change the folder\'s \'Internal only\' setting to update this file'
+    "
+  >
+    <InputSwitch
+      :model-value="switchVal"
+      aria-label="Toggle to make file Internl only"
+      :disabled="!isToggleEnabled"
+      @update:model-value="toggleIdp($event)"
+    />
+  </span>
+</template>
diff --git a/frontend/src/components/object/ObjectList.vue b/frontend/src/components/object/ObjectList.vue
index 9bb9e526..52437434 100644
--- a/frontend/src/components/object/ObjectList.vue
+++ b/frontend/src/components/object/ObjectList.vue
@@ -25,11 +25,13 @@ import type { Ref } from 'vue';
 type Props = {
   bucketId: string;
   isBucketPublic?: boolean;
+  isBucketInternal?: boolean;
 };
 
 const props = withDefaults(defineProps<Props>(), {
   bucketId: undefined,
-  isBucketPublic: undefined
+  isBucketPublic: undefined,
+  isBucketInternal: undefined
 });
 
 //const navStore = useNavStore();
@@ -118,7 +120,9 @@ const autoSync = async () => {
 
 onBeforeMount(async () => {
   // sync bucket if necessary
-  const hasRead = permissionStore.getBucketPermissions.filter((p) => p.permCode === Permissions.READ);
+  const hasRead = permissionStore.getBucketPermissions.filter(
+    (p) => p.permCode === Permissions.READ && p.bucketId === props.bucketId
+  );
   if (hasRead.length > 0) await autoSync();
 });
 </script>
@@ -199,6 +203,7 @@ onBeforeMount(async () => {
           :key="objectTableKey"
           :bucket-id="props.bucketId"
           :is-bucket-public="props.isBucketPublic"
+          :is-bucket-internal-only="isBucketInternal"
           :object-info-id="objectInfoId"
           @show-object-info="showObjectInfo"
         />
diff --git a/frontend/src/components/object/ObjectPermission.vue b/frontend/src/components/object/ObjectPermission.vue
index 54eeec4c..52339466 100644
--- a/frontend/src/components/object/ObjectPermission.vue
+++ b/frontend/src/components/object/ObjectPermission.vue
@@ -3,7 +3,7 @@ import { storeToRefs } from 'pinia';
 import { computed, onBeforeMount, ref } from 'vue';
 import { FontAwesomeIcon } from '@fortawesome/vue-fontawesome';
 
-import { ObjectPermissionAddUser, ObjectPublicToggle } from '@/components/object';
+import { ObjectPermissionAddUser, ObjectPublicToggle, ObjectIdpToggle } from '@/components/object';
 import { BulkPermission } from '@/components/common';
 import { Button, Checkbox, Column, DataTable, TabPanel, TabView } from '@/lib/primevue';
 
@@ -40,7 +40,7 @@ const aggregatePermissionData = computed(() => {
     Object.values(
       data.reduce((acc, item) => {
         const baseUser = acc[item.userId] ?? {
-          idpName: item.idpName,
+          idp: item.idp,
           elevatedRights: item.elevatedRights,
           fullName: item.fullName,
           resource: 'object',
@@ -98,9 +98,10 @@ onBeforeMount(() => {
 <template>
   <TabView>
     <TabPanel header="Manage permissions">
+      <h3 class="mb-2">Sharing Access</h3>
       <div class="flex flex-row pb-3">
         <div class="flex-grow-1">
-          <h3 class="pb-1">Set to public</h3>
+          <h4 class="pb-1">Set to public</h4>
           <p>
             Setting a file to
             <strong>public</strong>
@@ -118,6 +119,24 @@ onBeforeMount(() => {
         />
       </div>
 
+      <div class="flex flex-row pb-3">
+        <div class="flex-grow-1">
+          <h4 class="pb-1">Internl only</h4>
+          <p>
+            Give access to
+            <strong>all IDIR users</strong>
+          </p>
+        </div>
+        <ObjectIdpToggle
+          v-if="object && getUserId"
+          :bucket-id="object.bucketId"
+          :object-id="object.id"
+          :object-name="object.name"
+          :object-public="object.public"
+          :user-id="getUserId"
+        />
+      </div>
+
       <h3 class="my-2">User Permissions</h3>
 
       <div v-if="!showSearchUsers">
@@ -167,7 +186,7 @@ onBeforeMount(() => {
           header="Name"
         />
         <Column
-          field="idpName"
+          field="idp"
           header="Provider"
         />
         <Column
@@ -186,7 +205,7 @@ onBeforeMount(() => {
                 input-id="read"
                 aria-label="read"
                 :binary="true"
-                :disabled="data.read.value"
+                :disabled="data.read.disabled"
                 @update:model-value="(value: boolean) => updateObjectPermission(value, data.userId, Permissions.READ)"
               />
             </span>
diff --git a/frontend/src/components/object/ObjectTable.vue b/frontend/src/components/object/ObjectTable.vue
index 2a3c9b1c..ca8ec202 100644
--- a/frontend/src/components/object/ObjectTable.vue
+++ b/frontend/src/components/object/ObjectTable.vue
@@ -1,6 +1,6 @@
 <script setup lang="ts">
 import { storeToRefs } from 'pinia';
-import { onUnmounted, onMounted, ref } from 'vue';
+import { computed, onUnmounted, onMounted, ref } from 'vue';
 
 import { Spinner } from '@/components/layout';
 import {
@@ -11,7 +11,7 @@ import {
   ObjectPublicToggle
 } from '@/components/object';
 import { ShareButton } from '@/components/common';
-import { Button, Column, DataTable, Dialog, InputText } from '@/lib/primevue';
+import { Button, Column, DataTable, Dialog, InputText, Tag } from '@/lib/primevue';
 import { useAuthStore, useObjectStore, useNavStore, usePermissionStore } from '@/store';
 import { Permissions, RouteNames } from '@/utils/constants';
 import { onDialogHide } from '@/utils/utils';
@@ -37,12 +37,14 @@ type DataTableFilter = {
 type Props = {
   bucketId?: string;
   isBucketPublic?: boolean;
+  isBucketInternal?: boolean;
   objectInfoId?: string;
 };
 
 const props = withDefaults(defineProps<Props>(), {
   bucketId: undefined,
   isBucketPublic: undefined,
+  isBucketInternal: undefined,
   objectInfoId: undefined
 });
 
@@ -71,6 +73,13 @@ const filters: Ref<DataTableFilter> = ref({
   meta: { value: undefined, matchMode: 'contains' }
 });
 
+// idp perms
+const isObjectInternal = computed(() => {
+  return (objId: any) => {
+    return permissionStore.getObjectInternal(objId);
+  };
+});
+
 // Actions
 const formatShortUuid = (uuid: string) => uuid?.slice(0, 8) ?? uuid;
 const onObjectDeleted = () => {
@@ -139,7 +148,6 @@ const loadLazyData = (event?: any) => {
         permissionStore.fetchObjectPermissions({
           objectId: objects.map((o: COMSObject) => o.id)
         });
-
         permissionStore.fetchObjectIdpPermissions({
           objectId: objects.map((o: COMSObject) => o.id)
         });
@@ -340,23 +348,36 @@ async function downloadPublicObject(objectId: string) {
         v-if="getIsAuthenticated"
         field="publicSharing"
         header="Public"
-        style="width: 100px"
+        class=""
+        style="width: 300px"
       >
         <template #body="{ data }">
-          <ObjectPublicToggle
-            v-if="props.bucketId && getUserId"
-            :bucket-id="props.bucketId"
-            :bucket-public="props.isBucketPublic"
-            :object-id="data.id"
-            :object-name="data.name"
-            :object-public="data.public"
-            :user-id="getUserId"
-          />
+          <div class="flex align-items-center">
+            <ObjectPublicToggle
+              v-if="props.bucketId && getUserId"
+              :bucket-id="props.bucketId"
+              :bucket-public="props.isBucketPublic"
+              :object-id="data.id"
+              :object-name="data.name"
+              :object-public="data.public"
+              :user-id="getUserId"
+            />
+
+            <Tag
+              v-if="!props.isBucketPublic && !data.public && !props.isBucketInternal && isObjectInternal(data.id)"
+              v-tooltip="'This file can be read by anyone internal to government.'"
+              value="Internal"
+              severity="info"
+              rounded
+              icon="pi pi-info-circle"
+              class="ml-2 mb-1 min-w-100"
+            />
+          </div>
         </template>
       </Column>
       <Column
         header="Actions"
-        :header-style="getIsAuthenticated ? 'min-width: 270px' : 'width: 40px'"
+        :header-style="getIsAuthenticated ? 'min-width: 240px' : 'width: 40px'"
         header-class="header-right"
         body-class="action-buttons"
       >
diff --git a/frontend/src/components/object/index.ts b/frontend/src/components/object/index.ts
index 8077fe58..6898cf49 100644
--- a/frontend/src/components/object/index.ts
+++ b/frontend/src/components/object/index.ts
@@ -5,7 +5,7 @@ export { default as DownloadObjectButton } from './DownloadObjectButton.vue';
 export { default as ObjectAccess } from './ObjectAccess.vue';
 export { default as ObjectFileDetails } from './ObjectFileDetails.vue';
 export { default as ObjectFilters } from './ObjectFilters.vue';
-export { default as ObjectIdpPermission } from './ObjectIdpPermission.vue';
+export { default as ObjectIdpToggle } from './ObjectIdpToggle.vue';
 export { default as ObjectList } from './ObjectList.vue';
 export { default as ObjectMetadata } from './ObjectMetadata.vue';
 export { default as ObjectMetadataTagForm } from './ObjectMetadataTagForm.vue';
diff --git a/frontend/src/store/bucketStore.ts b/frontend/src/store/bucketStore.ts
index 539f6fd1..41721b9d 100644
--- a/frontend/src/store/bucketStore.ts
+++ b/frontend/src/store/bucketStore.ts
@@ -108,7 +108,7 @@ export const useBucketStore = defineStore('bucket', () => {
       // Get a unique list of bucket IDs the user has access to
       // based on user permissions..
       const permResponse = await permissionStore.fetchBucketPermissions({ ...params, idp: undefined });
-      //  and IDP permissions (if current user's idp is provided in params)
+      //  and check IDP permissions (if current user's idp is provided in params)
       const IdpPermResponse = params?.idp
         ? await permissionStore.fetchBucketIdpPermissions({ ...params, userId: undefined })
         : undefined;
diff --git a/frontend/src/store/permissionStore.ts b/frontend/src/store/permissionStore.ts
index 0d0b3255..9f65144c 100644
--- a/frontend/src/store/permissionStore.ts
+++ b/frontend/src/store/permissionStore.ts
@@ -18,8 +18,8 @@ import type {
   IdentityProvider,
   Permission,
   User,
-  UserPermissions,
-  IdpPermissions
+  UserPermissions
+  // IdpPermissions
 } from '@/types';
 
 export type PermissionStoreState = {
@@ -31,8 +31,6 @@ export type PermissionStoreState = {
   // IDP permissions
   bucketIdpPermissions: Ref<any>;
   objectIdpPermissions: Ref<any>;
-  mappedBucketToIdpPermissions: Ref<any>;
-  mappedObjectToIdpPermissions: Ref<any>;
   // general permissions
   permissions: Ref<Array<Permission>>;
 };
@@ -54,15 +52,14 @@ export const usePermissionStore = defineStore('permission', () => {
     // IDP permissions
     bucketIdpPermissions: ref([]),
     objectIdpPermissions: ref([]),
-    mappedBucketToIdpPermissions: ref([]),
-    mappedObjectToIdpPermissions: ref([]),
     // general permissions
     permissions: ref([])
   };
 
   // Getters
   const getters = {
-    // User permissions
+    // User permissions getters
+    getObjectPermissions: computed(() => state.objectPermissions.value),
     getBucketPermissions: computed(() => state.bucketPermissions.value),
     getMappedBucketToUserPermissions: computed(() => state.mappedBucketToUserPermissions.value),
     getMappedObjectToUserPermissions: computed(() => state.mappedObjectToUserPermissions.value),
@@ -75,22 +72,36 @@ export const usePermissionStore = defineStore('permission', () => {
       });
       return op.concat(bp);
     }),
-
-    // IDP permissions
-    getMappedBucketToIdpPermissions: computed(() => state.mappedBucketToIdpPermissions.value),
-    getMappedObjectToIdpPermissions: computed(() => state.mappedObjectToIdpPermissions.value),
-    getMappedObjectAndBucketToIdpPermissions: computed(() => {
-      const op = state.mappedObjectToIdpPermissions.value.map((o: any) => {
-        return { ...o, resource: 'object' };
-      });
-      const bp = state.mappedBucketToIdpPermissions.value.map((b: any) => {
-        return { ...b, resource: 'bucket' };
-      });
-      return op.concat(bp);
+    // IDP permissions getters
+    getObjectIdpPermissions: computed(() => state.objectIdpPermissions.value),
+    getObjectInternal: computed(() => (objectId: string) => {
+      return (
+        state.objectIdpPermissions.value.filter(
+          (p: any) => p.objectId === objectId && p.idp === 'idir' && p.permCode === 'READ'
+        ).length > 0
+      );
     }),
-    getObjectPermissions: computed(() => state.objectPermissions.value),
-
-    // General permissions
+    getBucketIdpPermissions: computed(() => state.bucketIdpPermissions.value),
+    // is object/bucket 'internal' (READ perm for all IDI users)
+    getBucketInternal: computed(() => (bucketId: string) => {
+      return (
+        state.bucketIdpPermissions.value.filter(
+          (p: any) => p.bucketId === bucketId && p.idp === 'idir' && p.permCode === 'READ'
+        ).length > 0
+      );
+    }),
+    getInternal: computed(() => (object: any) => {
+      const objPerm =
+        state.objectIdpPermissions.value.filter(
+          (p: any) => p.objectId === object.id && p.idp === 'idir' && p.permCode === 'READ'
+        ).length > 0;
+      const bucketPerm =
+        state.bucketIdpPermissions.value.filter(
+          (p: any) => p.bucketId === object.bucketId && p.idp === 'idir' && p.permCode === 'READ'
+        ).length > 0;
+      return objPerm || bucketPerm;
+    }),
+    // General permissions getters
     getPermissions: computed(() => state.permissions.value)
   };
 
@@ -139,7 +150,7 @@ export const usePermissionStore = defineStore('permission', () => {
       toast.error('Adding bucket IDP permission', error.response?.data.detail ?? error, { life: 0 });
     } finally {
       await fetchBucketIdpPermissions({ bucketId: bucketId });
-      await mapBucketToIdpPermissions(bucketId);
+      // await mapBucketToIdpPermissions(bucketId);
       appStore.endIndeterminateLoading();
     }
   }
@@ -152,7 +163,7 @@ export const usePermissionStore = defineStore('permission', () => {
       toast.error('Adding object IDP permission', error.response?.data.detail ?? error, { life: 0 });
     } finally {
       await fetchObjectIdpPermissions({ objectId: objectId });
-      await mapObjectToIdpPermissions(objectId);
+      // await mapObjectToIdpPermissions(objectId);
       appStore.endIndeterminateLoading();
     }
   }
@@ -200,8 +211,8 @@ export const usePermissionStore = defineStore('permission', () => {
     } catch (error: any) {
       toast.error('Deleting bucket IDP permission', error.response?.data.detail ?? error, { life: 0 });
     } finally {
-      await fetchBucketPermissions({ bucketId: bucketId });
-      await mapBucketToIdpPermissions(bucketId);
+      await fetchBucketIdpPermissions({ bucketId: bucketId });
+      // await mapBucketToIdpPermissions(bucketId);
       appStore.endIndeterminateLoading();
     }
   }
@@ -213,8 +224,8 @@ export const usePermissionStore = defineStore('permission', () => {
     } catch (error: any) {
       toast.error('Deleting object IDP permission', error.response?.data.detail ?? error, { life: 0 });
     } finally {
-      await fetchObjectPermissions({ objectId: objectId });
-      await mapObjectToIdpPermissions(objectId);
+      await fetchObjectIdpPermissions({ objectId: objectId }); //
+      // await mapObjectToIdpPermissions(objectId);
       appStore.endIndeterminateLoading();
     }
   }
@@ -230,7 +241,7 @@ export const usePermissionStore = defineStore('permission', () => {
 
       // patch bucketPermissions state with latest perms from COMS
       const matches = (x: BucketPermission) =>
-        (!params.bucketId || x.bucketId === params.bucketId) &&
+        (!params.bucketId || x.bucketId === params.bucketId || params.bucketId.includes(x.bucketId)) &&
         (!params.userId || x.userId === params.userId) &&
         (!params.permCode || x.permCode === params.permCode);
       const [, difference] = partition(state.bucketPermissions.value, matches);
@@ -257,7 +268,7 @@ export const usePermissionStore = defineStore('permission', () => {
 
       // patch objectPermissions state with latest perms from COMS
       const matches = (x: COMSObjectPermission) =>
-        (!params.objectId || x.objectId === params.objectId) &&
+        (!params.objectId || x.objectId === params.objectId || params.objectId.includes(x.objectId)) &&
         (!params.userId || x.userId === params.userId) &&
         (!params.permCode || x.permCode === params.permCode);
       const [, difference] = partition(state.objectPermissions.value, matches);
@@ -392,21 +403,19 @@ export const usePermissionStore = defineStore('permission', () => {
     }
   }
 
-  async function fetchBucketIdpPermissions(params: any = {}): Promise<Array<any> | void> {
+  async function fetchBucketIdpPermissions(params: any = {}): Promise<Array<any> | undefined> {
     try {
       appStore.beginIndeterminateLoading();
 
       const response = (await permissionService.bucketSearchIdpPermissions(params)).data;
       const newPerms: Array<any> = response.flatMap((x: any) => x.permissions);
-
-      // patch bucketPermissions state with latest perms from COMS
+      // patch bucketIdpPermissions state with latest perms from COMS
       const matches = (x: any) =>
-        (!params.bucketId || x.bucketId === params.bucketId) &&
+        (!params.bucketId || x.bucketId === params.bucketId || params.bucketId.includes(x.bucketId)) &&
         (!params.idp || x.idp === params.idp) &&
         (!params.permCode || x.permCode === params.permCode);
       const [, difference] = partition(state.bucketIdpPermissions.value, matches);
       state.bucketIdpPermissions.value = difference.concat(newPerms);
-
       // Pass response back so bucketStore can handle bucketPerms=true correctly
       return response;
     } catch (error: any) {
@@ -419,19 +428,15 @@ export const usePermissionStore = defineStore('permission', () => {
   async function fetchObjectIdpPermissions(params: any = {}): Promise<Array<any> | undefined> {
     try {
       appStore.beginIndeterminateLoading();
-
       const response = (await permissionService.objectSearchIdpPermissions(params)).data;
-
       const newPerms: Array<any> = response.flatMap((x: any) => x.permissions);
-
-      // patch objectPermissions state with latest perms from COMS
+      // patch objectIdpPermissions state with latest perms from COMS
       const matches = (x: any) =>
-        (!params.objectId || x.objectId === params.objectId) &&
+        (!params.objectId || x.objectId === params.objectId || params.objectId.includes(x.objectId)) &&
         (!params.idp || x.idp === params.idp) &&
         (!params.permCode || x.permCode === params.permCode);
       const [, difference] = partition(state.objectIdpPermissions.value, matches);
       state.objectIdpPermissions.value = difference.concat(newPerms);
-
       // Pass response back so objectStore can handle bucketPerms=true correctly
       return response;
     } catch (error: any) {
@@ -441,66 +446,6 @@ export const usePermissionStore = defineStore('permission', () => {
     }
   }
 
-  async function mapBucketToIdpPermissions(bucketId: string): Promise<void> {
-    try {
-      appStore.beginIndeterminateLoading();
-      const bucketPerms = state.bucketIdpPermissions.value.filter((x: any) => x.bucketId === bucketId);
-      const uniqueIdpNames = [...new Set(bucketPerms.map((x: any) => x.idp))];
-
-      const hasPermission = (idp: string, permission: string) => {
-        return bucketPerms.some((perm: any) => perm.idp === idp && perm.permCode === permission);
-      };
-
-      const IdpPermissions: IdpPermissions[] = [];
-      uniqueIdpNames.forEach((idp: any) => {
-        IdpPermissions.push({
-          idp: idp,
-          create: hasPermission(idp, Permissions.CREATE),
-          read: hasPermission(idp, Permissions.READ),
-          update: hasPermission(idp, Permissions.UPDATE),
-          delete: hasPermission(idp, Permissions.DELETE),
-          manage: hasPermission(idp, Permissions.MANAGE)
-        });
-      });
-
-      state.mappedBucketToIdpPermissions.value = IdpPermissions;
-    } catch (error: any) {
-      toast.error('Mapping bucket permissions to IDP permissions', error.response?.data.detail ?? error, { life: 0 });
-    } finally {
-      appStore.endIndeterminateLoading();
-    }
-  }
-
-  async function mapObjectToIdpPermissions(objectId: string): Promise<void> {
-    try {
-      appStore.beginIndeterminateLoading();
-      const objectPerms = state.objectIdpPermissions.value.filter((x: any) => x.objectId === objectId);
-      const uniqueIdpNames = [...new Set(objectPerms.map((x: any) => x.idp))];
-
-      const hasPermission = (idp: string, permission: string) => {
-        return objectPerms.some((perm: any) => perm.idp === idp && perm.permCode === permission);
-      };
-
-      const idpPermissions: IdpPermissions[] = [];
-      uniqueIdpNames.forEach((idp: any) => {
-        idpPermissions.push({
-          idp: idp,
-          create: hasPermission(idp, Permissions.CREATE),
-          read: hasPermission(idp, Permissions.READ),
-          update: hasPermission(idp, Permissions.UPDATE),
-          delete: hasPermission(idp, Permissions.DELETE),
-          manage: hasPermission(idp, Permissions.MANAGE)
-        });
-      });
-
-      state.mappedObjectToIdpPermissions.value = idpPermissions;
-    } catch (error: any) {
-      toast.error('Mapping object permissions to IDP permissions', error.response?.data.detail ?? error, { life: 0 });
-    } finally {
-      appStore.endIndeterminateLoading();
-    }
-  }
-
   async function removeBucketUser(bucketId: string, userId: string): Promise<void> {
     try {
       appStore.beginIndeterminateLoading();
@@ -576,9 +521,7 @@ export const usePermissionStore = defineStore('permission', () => {
     fetchObjectIdpPermissions,
     fetchBucketIdpPermissions,
     deleteBucketIdpPermission,
-    deleteObjectIdpPermission,
-    mapBucketToIdpPermissions,
-    mapObjectToIdpPermissions
+    deleteObjectIdpPermission
   };
 });
 
diff --git a/frontend/src/views/list/ListObjectsView.vue b/frontend/src/views/list/ListObjectsView.vue
index bf765b32..fe20bcc9 100644
--- a/frontend/src/views/list/ListObjectsView.vue
+++ b/frontend/src/views/list/ListObjectsView.vue
@@ -48,6 +48,16 @@ const isBucketPublic = computed(() => {
 watch(isBucketPublic, () => remountComponent());
 const componentKey = ref(0);
 const remountComponent = () => (componentKey.value += 1);
+// make internal only flag reactive
+const isInternal = computed(() => {
+  const perms = (permissionStore.getBucketIdpPermissions ?? []).filter(
+    (p: any) => p.bucketId === props.bucketId && p.idp === 'idir' && p.permCode === 'READ'
+  );
+  return perms.length > 0;
+});
+// on isInternal change, re-mount ObjectList
+watch(isInternal, () => remountComponent());
+
 // show permissions modal
 const showPermissions = async (bucketId: string, bucketName: string) => {
   permissionsVisible.value = true;
@@ -144,6 +154,17 @@ onBeforeMount(async () => {
             rounded
             icon="pi pi-info-circle"
           />
+          <Tag
+            v-else-if="isInternal"
+            v-tooltip="
+              'This folder and its contents can be read by anyone internal to government. ' +
+              'Change the settings in &quot;Folder permissions.&quot;'
+            "
+            value="Internal"
+            severity="info"
+            rounded
+            icon="pi pi-info-circle"
+          />
         </span>
       </span>
 
@@ -188,6 +209,7 @@ onBeforeMount(async () => {
       :key="componentKey"
       :bucket-id="props.bucketId"
       :is-bucket-public="isBucketPublic"
+      :is-bucket-internal-only="isInternal"
     />
   </div>
 

From 87ef6928b66805b96cf7d7f125a07d2c2d9203e3 Mon Sep 17 00:00:00 2001
From: Csaky <tim.csaky@gov.bc.ca>
Date: Wed, 11 Mar 2026 18:13:39 -0700
Subject: [PATCH 3/6] Styling changes for IDP permission feature

Fetch IDP permissions on BucketTable
Remove tooltips; table column spacing
Sharing tag changes
---
 frontend/src/assets/main.scss                 |   6 +
 frontend/src/components/bucket/BucketList.vue |  12 +-
 .../components/bucket/BucketPermission.vue    |   2 +-
 .../src/components/bucket/BucketTable.vue     | 140 +++++++++---------
 .../src/components/common/ShareButton.vue     |   5 -
 frontend/src/components/layout/Navbar.vue     |   2 +-
 .../components/object/ObjectFileDetails.vue   |   9 +-
 .../src/components/object/ObjectTable.vue     |  52 +++----
 frontend/src/store/permissionStore.ts         |   8 +-
 frontend/src/views/list/ListObjectsView.vue   |  11 +-
 10 files changed, 113 insertions(+), 134 deletions(-)

diff --git a/frontend/src/assets/main.scss b/frontend/src/assets/main.scss
index 1dd2ac32..5cda649f 100644
--- a/frontend/src/assets/main.scss
+++ b/frontend/src/assets/main.scss
@@ -254,6 +254,12 @@ div:focus-visible {
   font-size: .8rem;
   padding: 0.25rem 0.75rem;
   font-weight: 400;
+  line-height: 1;
+
+  .p-tag-value {
+    margin-top: -2px;
+  }
+
 }
 
 .p-tag-danger {
diff --git a/frontend/src/components/bucket/BucketList.vue b/frontend/src/components/bucket/BucketList.vue
index e463cbd2..16c8d986 100644
--- a/frontend/src/components/bucket/BucketList.vue
+++ b/frontend/src/components/bucket/BucketList.vue
@@ -43,11 +43,19 @@ const closeBucketConfig = () => {
 };
 
 onMounted(async () => {
-  await bucketStore.fetchBuckets({
+  const buckets = await bucketStore.fetchBuckets({
     userId: getUserId.value,
-    idp: 'idir',
     objectPerms: true
   });
+  // get IDP permissions for labelling in table
+  if (buckets && buckets.length > 0 && usePermissionStore().isUserElevatedRights()) {
+    await usePermissionStore().fetchBucketIdpPermissions({
+      // limit to 1000 folders
+      bucketId: buckets.slice(0, 1000).map((b) => b.bucketId),
+      idp: 'idir',
+      objectPerms: true
+    });
+  }
 });
 </script>
 
diff --git a/frontend/src/components/bucket/BucketPermission.vue b/frontend/src/components/bucket/BucketPermission.vue
index b7af6a2c..eb37090a 100644
--- a/frontend/src/components/bucket/BucketPermission.vue
+++ b/frontend/src/components/bucket/BucketPermission.vue
@@ -107,7 +107,7 @@ onBeforeMount(async () => {
       <div class="flex flex-row pb-3">
         <div class="flex-grow-1">
           <h4 class="pb-1">Internl only</h4>
-          <p>Allow all IDIR users to view this flder and its content</p>
+          <p>Allow all IDIR users to view this folder and its content</p>
         </div>
         <BucketIdpToggle
           v-if="bucket && getUserId"
diff --git a/frontend/src/components/bucket/BucketTable.vue b/frontend/src/components/bucket/BucketTable.vue
index 603b11ed..0f0d8e3f 100644
--- a/frontend/src/components/bucket/BucketTable.vue
+++ b/frontend/src/components/bucket/BucketTable.vue
@@ -58,15 +58,6 @@ const getBucketPublicStatus = computed(() => {
   };
 });
 
-const getInternalStatus = computed(() => {
-  return (node: BucketTreeNode): boolean => {
-    if (node.data.bucketId) {
-      return permissionStore.getBucketInternal(node.data.bucketId);
-    }
-    return false;
-  };
-});
-
 const emit = defineEmits(['show-bucket-config', 'show-sidebar-info']);
 
 // Actions
@@ -190,7 +181,11 @@ function createDummyNodes(neighbour: BucketTreeNode, node: BucketTreeNode) {
   return current;
 }
 
-watch(getBuckets, () => {
+/**
+ * watch for changes to bucket and permissions in store
+ */
+// eslint-disable-next-line no-empty-pattern
+watch([getBuckets, permissionStore.getBucketIdpPermissions], ([]) => {
   // Make sure everything is clear for a rebuild...
   endpointMap.clear();
   bucketTreeNodeMap.clear();
@@ -328,83 +323,86 @@ watch(getBuckets, () => {
       </template>
     </Column>
     <Column
-      header="Actions"
-      header-class="text-right"
-      body-class="action-buttons"
-      header-style="width: 320px"
+      field="publicSharing"
+      header="Sharing"
+      style="width: 120px"
     >
+      >
       <template #body="{ node }">
         <span v-if="!node.data.dummy">
           <Tag
             v-if="getBucketPublicStatus(node)"
-            v-tooltip="
-              'This folder and its contents are set to public. Change the settings in &quot;Folder permissions.&quot;'
-            "
             value="Public"
             severity="danger"
             rounded
-            icon="pi pi-info-circle"
-            class="public-folder"
           />
-
           <Tag
-            v-if="!getBucketPublicStatus(node) && getInternalStatus(node)"
-            v-tooltip="'Contents of this Folder can be read by anyone internal to government.'"
-            value="Internal"
+            v-else-if="
+              permissionStore.getBucketInternal(node.data.bucketId) && usePermissionStore().isUserElevatedRights()
+            "
+            value="Internal (IDIR)"
             severity="info"
             rounded
-            icon="pi pi-info-circle"
-            class="ml-2 mb-1 min-w-100"
-          />
-
-          <BucketChildConfig
-            v-if="permissionStore.isBucketActionAllowed(node.data.bucketId, getUserId, Permissions.CREATE)"
-            :parent-bucket="node.data"
-          />
-          <Button
-            v-if="permissionStore.isBucketActionAllowed(node.data.bucketId, getUserId, Permissions.MANAGE)"
-            id="folder_permissions"
-            v-tooltip.bottom="'Folder permissions'"
-            class="p-button-lg p-button-text"
-            aria-label="Folder permissions"
-            @click="showPermissions(node.data.bucketId, node.data.bucketName)"
-          >
-            <span class="material-icons-outlined">supervisor_account</span>
-          </Button>
-          <ShareButton
-            :bucket-id="node.data.bucketId"
-            label-text="Folder"
+            class="mb-1 min-w-100"
           />
-          <Button
-            v-if="permissionStore.isBucketActionAllowed(node.data.bucketId, getUserId, Permissions.MANAGE)"
-            v-tooltip.bottom="'Configure folder'"
-            class="p-button-lg p-button-text"
-            aria-label="Configure folder"
-            @click="showBucketConfig({ ...node.data, isRoot: node.isRoot })"
-          >
-            <span class="material-icons-outlined">settings</span>
-          </Button>
-          <Button
-            v-if="permissionStore.isBucketActionAllowed(node.data.bucketId, getUserId, Permissions.READ)"
-            v-tooltip.bottom="'Folder details'"
-            class="p-button-lg p-button-rounded p-button-text"
-            aria-label="Folder details"
-            @click="showSidebarInfo(node.data.bucketId)"
-          >
-            <span class="material-icons-outlined">info</span>
-          </Button>
-          <Button
-            v-if="permissionStore.isBucketActionAllowed(node.data.bucketId, getUserId, Permissions.DELETE)"
-            v-tooltip.bottom="'Delete folder'"
-            class="p-button-lg p-button-text p-button-danger"
-            aria-label="Delete folder"
-            @click="confirmDeleteBucket(node.data.bucketId)"
-          >
-            <span class="material-icons-outlined">delete</span>
-          </Button>
         </span>
       </template>
     </Column>
+
+    <Column
+      header="Actions"
+      header-class="text-right"
+      body-class="action-buttons"
+      header-style="width: 20px"
+    >
+      <template #body="{ node }">
+        <BucketChildConfig
+          v-if="permissionStore.isBucketActionAllowed(node.data.bucketId, getUserId, Permissions.CREATE)"
+          :parent-bucket="node.data"
+        />
+        <Button
+          v-if="permissionStore.isBucketActionAllowed(node.data.bucketId, getUserId, Permissions.MANAGE)"
+          id="folder_permissions"
+          v-tooltip.bottom="'Folder permissions'"
+          class="p-button-lg p-button-text"
+          aria-label="Folder permissions"
+          @click="showPermissions(node.data.bucketId, node.data.bucketName)"
+        >
+          <span class="material-icons-outlined">supervisor_account</span>
+        </Button>
+        <ShareButton
+          :bucket-id="node.data.bucketId"
+          label-text="Folder"
+        />
+        <Button
+          v-if="permissionStore.isBucketActionAllowed(node.data.bucketId, getUserId, Permissions.MANAGE)"
+          v-tooltip.bottom="'Configure folder'"
+          class="p-button-lg p-button-text"
+          aria-label="Configure folder"
+          @click="showBucketConfig({ ...node.data, isRoot: node.isRoot })"
+        >
+          <span class="material-icons-outlined">settings</span>
+        </Button>
+        <Button
+          v-if="permissionStore.isBucketActionAllowed(node.data.bucketId, getUserId, Permissions.READ)"
+          v-tooltip.bottom="'Folder details'"
+          class="p-button-lg p-button-rounded p-button-text"
+          aria-label="Folder details"
+          @click="showSidebarInfo(node.data.bucketId)"
+        >
+          <span class="material-icons-outlined">info</span>
+        </Button>
+        <Button
+          v-if="permissionStore.isBucketActionAllowed(node.data.bucketId, getUserId, Permissions.DELETE)"
+          v-tooltip.bottom="'Delete folder'"
+          class="p-button-lg p-button-text p-button-danger"
+          aria-label="Delete folder"
+          @click="confirmDeleteBucket(node.data.bucketId)"
+        >
+          <span class="material-icons-outlined">delete</span>
+        </Button>
+      </template>
+    </Column>
   </TreeTable>
 
   <!-- eslint-disable vue/no-v-model-argument -->
diff --git a/frontend/src/components/common/ShareButton.vue b/frontend/src/components/common/ShareButton.vue
index 52f4d761..c407feb7 100644
--- a/frontend/src/components/common/ShareButton.vue
+++ b/frontend/src/components/common/ShareButton.vue
@@ -98,14 +98,9 @@ const showDialog = (x: boolean) => {
       <span class="ml-3 text-sm flex-grow-1">
         <Tag
           v-if="resource?.public"
-          v-tooltip="
-            `This ${resourceType === 'object' ? 'file is' : 'folder and its contents are'} set to public. 
-              Change the settings in &quot;${resourceType === 'object' ? 'File' : 'Folder'} Permissions.&quot;`
-          "
           value="Public"
           severity="danger"
           rounded
-          icon="pi pi-info-circle"
         />
       </span>
     </template>
diff --git a/frontend/src/components/layout/Navbar.vue b/frontend/src/components/layout/Navbar.vue
index b4e220be..46af5e5c 100644
--- a/frontend/src/components/layout/Navbar.vue
+++ b/frontend/src/components/layout/Navbar.vue
@@ -39,7 +39,7 @@ const { getIsAuthenticated, getProfile } = storeToRefs(useAuthStore());
               :to="{ name: RouteNames.LIST_OBJECTS_DELETED }"
               aria-label="Recycle Bin"
             >
-            Recycle Bin
+              Recycle Bin
             </router-link>
           </li>
           <li class="mr-2">
diff --git a/frontend/src/components/object/ObjectFileDetails.vue b/frontend/src/components/object/ObjectFileDetails.vue
index 1b73557e..da64eb20 100644
--- a/frontend/src/components/object/ObjectFileDetails.vue
+++ b/frontend/src/components/object/ObjectFileDetails.vue
@@ -166,22 +166,15 @@ onMounted(async () => {
           <span class="ml-3 text-sm flex-grow-1">
             <Tag
               v-if="object?.public"
-              v-tooltip="`This file is set as public`"
               value="Public"
               severity="danger"
               rounded
-              icon="pi pi-info-circle"
             />
             <Tag
               v-else-if="isInternal"
-              v-tooltip="
-                'This folder and its contents can be read by anyone internal to government. ' +
-                'Change the settings in &quot;Folder permissions.&quot;'
-              "
-              value="Internal"
+              value="Internal (IDIR)"
               severity="info"
               rounded
-              icon="pi pi-info-circle"
             />
           </span>
         </div>
diff --git a/frontend/src/components/object/ObjectTable.vue b/frontend/src/components/object/ObjectTable.vue
index ca8ec202..26812877 100644
--- a/frontend/src/components/object/ObjectTable.vue
+++ b/frontend/src/components/object/ObjectTable.vue
@@ -3,16 +3,10 @@ import { storeToRefs } from 'pinia';
 import { computed, onUnmounted, onMounted, ref } from 'vue';
 
 import { Spinner } from '@/components/layout';
-import {
-  DeleteObjectButton,
-  DownloadObjectButton,
-  ObjectFilters,
-  ObjectPermission,
-  ObjectPublicToggle
-} from '@/components/object';
+import { DeleteObjectButton, DownloadObjectButton, ObjectFilters, ObjectPermission } from '@/components/object';
 import { ShareButton } from '@/components/common';
 import { Button, Column, DataTable, Dialog, InputText, Tag } from '@/lib/primevue';
-import { useAuthStore, useObjectStore, useNavStore, usePermissionStore } from '@/store';
+import { useAuthStore, useBucketStore, useObjectStore, useNavStore, usePermissionStore } from '@/store';
 import { Permissions, RouteNames } from '@/utils/constants';
 import { onDialogHide } from '@/utils/utils';
 import { ButtonMode } from '@/utils/enums';
@@ -35,16 +29,13 @@ type DataTableFilter = {
 };
 // Props
 type Props = {
-  bucketId?: string;
+  bucketId: string;
   isBucketPublic?: boolean;
-  isBucketInternal?: boolean;
   objectInfoId?: string;
 };
 
 const props = withDefaults(defineProps<Props>(), {
-  bucketId: undefined,
   isBucketPublic: undefined,
-  isBucketInternal: undefined,
   objectInfoId: undefined
 });
 
@@ -52,6 +43,7 @@ const props = withDefaults(defineProps<Props>(), {
 const emit = defineEmits(['show-object-info']);
 
 // Store
+const bucketStore = useBucketStore();
 const objectStore = useObjectStore();
 const permissionStore = usePermissionStore();
 const { getUserId, getIsAuthenticated } = storeToRefs(useAuthStore());
@@ -79,6 +71,8 @@ const isObjectInternal = computed(() => {
     return permissionStore.getObjectInternal(objId);
   };
 });
+const bucket = bucketStore.getBucket(props.bucketId);
+const isBucketInternal = permissionStore.getBucketInternal(props.bucketId);
 
 // Actions
 const formatShortUuid = (uuid: string) => uuid?.slice(0, 8) ?? uuid;
@@ -290,7 +284,6 @@ async function downloadPublicObject(objectId: string) {
         field="name"
         sortable
         header="Name"
-        header-style="min-width: 25%"
         body-class="truncate"
       >
         <template #body="{ data }">
@@ -323,7 +316,7 @@ async function downloadPublicObject(objectId: string) {
         field="id"
         sortable
         header="Object ID"
-        style="width: 150px"
+        style="display: none"
       >
         <template #body="{ data }">
           <div
@@ -347,39 +340,34 @@ async function downloadPublicObject(objectId: string) {
       <Column
         v-if="getIsAuthenticated"
         field="publicSharing"
-        header="Public"
-        class=""
-        style="width: 300px"
+        header="Sharing"
+        style="width: 120px"
       >
         <template #body="{ data }">
-          <div class="flex align-items-center">
-            <ObjectPublicToggle
-              v-if="props.bucketId && getUserId"
-              :bucket-id="props.bucketId"
-              :bucket-public="props.isBucketPublic"
-              :object-id="data.id"
-              :object-name="data.name"
-              :object-public="data.public"
-              :user-id="getUserId"
+          <div class="">
+            <Tag
+              v-if="data.public || bucket?.public"
+              value="Public"
+              severity="danger"
+              rounded
+              class="mb-1 min-w-100"
             />
 
             <Tag
-              v-if="!props.isBucketPublic && !data.public && !props.isBucketInternal && isObjectInternal(data.id)"
-              v-tooltip="'This file can be read by anyone internal to government.'"
-              value="Internal"
+              v-if="!props.isBucketPublic && !data.public && (isBucketInternal || isObjectInternal(data.id))"
+              value="Internal (IDIR)"
               severity="info"
               rounded
-              icon="pi pi-info-circle"
-              class="ml-2 mb-1 min-w-100"
+              class="mb-1 min-w-100"
             />
           </div>
         </template>
       </Column>
       <Column
         header="Actions"
-        :header-style="getIsAuthenticated ? 'min-width: 240px' : 'width: 40px'"
         header-class="header-right"
         body-class="action-buttons"
+        style="width: 200px"
       >
         <template #body="{ data }">
           <DownloadObjectButton
diff --git a/frontend/src/store/permissionStore.ts b/frontend/src/store/permissionStore.ts
index 9f65144c..14349e56 100644
--- a/frontend/src/store/permissionStore.ts
+++ b/frontend/src/store/permissionStore.ts
@@ -114,7 +114,7 @@ export const usePermissionStore = defineStore('permission', () => {
     } catch (error: any) {
       toast.error('Adding bucket permission', error.response?.data.detail ?? error, { life: 0 });
     } finally {
-      await fetchBucketPermissions({ bucketId: bucketId });
+      await fetchBucketPermissions();
       await mapBucketToUserPermissions(bucketId);
       appStore.endIndeterminateLoading();
     }
@@ -149,7 +149,7 @@ export const usePermissionStore = defineStore('permission', () => {
     } catch (error: any) {
       toast.error('Adding bucket IDP permission', error.response?.data.detail ?? error, { life: 0 });
     } finally {
-      await fetchBucketIdpPermissions({ bucketId: bucketId });
+      await fetchBucketIdpPermissions();
       // await mapBucketToIdpPermissions(bucketId);
       appStore.endIndeterminateLoading();
     }
@@ -184,7 +184,7 @@ export const usePermissionStore = defineStore('permission', () => {
     } catch (error: any) {
       toast.error('Deleting bucket permission', error.response?.data.detail ?? error, { life: 0 });
     } finally {
-      await fetchBucketPermissions({ bucketId: bucketId });
+      await fetchBucketPermissions();
       await mapBucketToUserPermissions(bucketId);
       appStore.endIndeterminateLoading();
     }
@@ -211,7 +211,7 @@ export const usePermissionStore = defineStore('permission', () => {
     } catch (error: any) {
       toast.error('Deleting bucket IDP permission', error.response?.data.detail ?? error, { life: 0 });
     } finally {
-      await fetchBucketIdpPermissions({ bucketId: bucketId });
+      await fetchBucketIdpPermissions();
       // await mapBucketToIdpPermissions(bucketId);
       appStore.endIndeterminateLoading();
     }
diff --git a/frontend/src/views/list/ListObjectsView.vue b/frontend/src/views/list/ListObjectsView.vue
index fe20bcc9..442a36fc 100644
--- a/frontend/src/views/list/ListObjectsView.vue
+++ b/frontend/src/views/list/ListObjectsView.vue
@@ -146,24 +146,15 @@ onBeforeMount(async () => {
         <span class="ml-3 flex align-items-center">
           <Tag
             v-if="isBucketPublic"
-            v-tooltip="
-              'This folder and its contents are set to public. Change the settings in &quot;Folder permissions.&quot;'
-            "
             value="Public"
             severity="danger"
             rounded
-            icon="pi pi-info-circle"
           />
           <Tag
             v-else-if="isInternal"
-            v-tooltip="
-              'This folder and its contents can be read by anyone internal to government. ' +
-              'Change the settings in &quot;Folder permissions.&quot;'
-            "
-            value="Internal"
+            value="Internal (IDIR)"
             severity="info"
             rounded
-            icon="pi pi-info-circle"
           />
         </span>
       </span>

From 77f24b3e7dc5666537d2132a5274fac94d25eafe Mon Sep 17 00:00:00 2001
From: Csaky <tim.csaky@gov.bc.ca>
Date: Tue, 17 Mar 2026 15:30:06 -0700
Subject: [PATCH 4/6] Prevent exceptions to Internal setting on folders

---
 .../src/components/bucket/BucketIdpToggle.vue | 70 ++++++++++++-------
 .../components/bucket/BucketPermission.vue    |  2 +-
 .../src/components/bucket/BucketTable.vue     |  2 +-
 .../src/components/object/ObjectIdpToggle.vue |  2 +-
 .../components/object/ObjectPermission.vue    |  2 +-
 .../src/components/object/ObjectTable.vue     |  2 +-
 frontend/src/services/bucketService.ts        |  2 +
 frontend/src/store/permissionStore.ts         |  4 +-
 .../src/types/options/SearchBucketsOptions.ts |  2 +
 frontend/src/utils/utils.ts                   | 13 ++++
 10 files changed, 67 insertions(+), 34 deletions(-)

diff --git a/frontend/src/components/bucket/BucketIdpToggle.vue b/frontend/src/components/bucket/BucketIdpToggle.vue
index bb1338d2..16479c87 100644
--- a/frontend/src/components/bucket/BucketIdpToggle.vue
+++ b/frontend/src/components/bucket/BucketIdpToggle.vue
@@ -2,9 +2,11 @@
 import { computed, onMounted, ref, watch } from 'vue';
 
 import { InputSwitch, useConfirm, useToast } from '@/lib/primevue';
-import { usePermissionStore } from '@/store';
+import { useBucketStore, usePermissionStore } from '@/store';
+import { bucketService } from '@/services';
 import { Permissions } from '@/utils/constants';
 
+import { getParentKey } from '@/utils/utils';
 import type { Ref } from 'vue';
 
 // Props
@@ -14,40 +16,23 @@ type Props = {
   bucketPublic: boolean;
   userId: string;
 };
-
 const props = withDefaults(defineProps<Props>(), {});
 
 // Store
+const bucketStore = useBucketStore();
 const permissionStore = usePermissionStore();
 
 // State
 const isInternal: Ref<boolean> = ref(false);
-const fetchBucketInternal = async (): Promise<boolean> => {
-  const bucketIdpPermissions = await permissionStore.fetchBucketIdpPermissions({
-    bucketId: props.bucketId,
-    permCode: 'READ',
-    idp: 'idir'
-  });
-  const hasPerms = (bucketIdpPermissions?.length ?? 0) > 0;
+const isParentBucketInternal = ref(false);
 
-  return hasPerms || props.bucketPublic;
-};
-
-// check bucket for the IDP permission
-const isBucketInternal: Ref<boolean> = ref(false);
-const isParentBucketInternal: Ref<boolean> = ref(false);
-const fetchParentBucketInternal = async (): Promise<boolean> => {
-  const bucketIdpPermissions = await permissionStore.fetchBucketIdpPermissions({
-    bucketId: props.bucketId,
-    permCode: 'READ',
-    idp: 'idir'
-  });
-  return (bucketIdpPermissions?.length ?? 0) > 0;
-};
+const isInternalState = computed(() => {
+  return permissionStore.getBucketInternal(props.bucketId) || props.bucketPublic || isParentBucketInternal.value;
+});
 
 const isToggleEnabled = computed(() => {
   return (
-    !isBucketInternal.value &&
+    !isParentBucketInternal.value &&
     !props.bucketPublic &&
     usePermissionStore().isUserElevatedRights() &&
     permissionStore.isBucketActionAllowed(props.bucketId, props.userId, Permissions.MANAGE)
@@ -100,8 +85,39 @@ const toggleIdp = async (value: boolean) => {
 };
 
 onMounted(async () => {
-  isInternal.value = await fetchBucketInternal();
-  isParentBucketInternal.value = await fetchParentBucketInternal();
+  // refresh current bucket IDP permissions
+  await permissionStore.fetchBucketIdpPermissions({
+    bucketId: props.bucketId,
+    permCode: 'READ',
+    idp: 'idir'
+  });
+
+  // get immediate parent bucket IDP permissions
+  // TODO: get perms for every parent in path (eg: x/y/z/currentBucket)
+  // let isParentBucketInternal = false;
+  const bucket = bucketStore.getBucket(props.bucketId);
+  if (bucket) {
+    // if current bucket is not at root
+    if (bucket.key !== '/') {
+      // search for parent bucket by endpoint and bucket and segment of key
+      const responseArray = (
+        await bucketService.searchBuckets({
+          key: getParentKey(bucket.key),
+          endpoint: bucket.endpoint,
+          bucket: bucket.bucket
+        })
+      ).data;
+      const parent = responseArray.reduce((a: any, b: any) => (a.key.length <= b.key.length ? a : b));
+      // fetch bucketIdpPermissions for parent
+      await permissionStore.fetchBucketIdpPermissions({
+        bucketId: parent.bucketId,
+        permCode: 'READ',
+        idp: 'idir'
+      });
+      isParentBucketInternal.value = permissionStore.getBucketInternal(parent.bucketId);
+    }
+  }
+  isInternal.value = isInternalState.value;
 });
 
 watch(props, () => {
@@ -130,7 +146,7 @@ watch(props, () => {
   >
     <InputSwitch
       :model-value="isInternal"
-      aria-label="Toggle to make file Internl only"
+      aria-label="Toggle to make file Internal only"
       :disabled="!isToggleEnabled"
       @update:model-value="toggleIdp($event)"
     />
diff --git a/frontend/src/components/bucket/BucketPermission.vue b/frontend/src/components/bucket/BucketPermission.vue
index eb37090a..c71c7f2a 100644
--- a/frontend/src/components/bucket/BucketPermission.vue
+++ b/frontend/src/components/bucket/BucketPermission.vue
@@ -106,7 +106,7 @@ onBeforeMount(async () => {
 
       <div class="flex flex-row pb-3">
         <div class="flex-grow-1">
-          <h4 class="pb-1">Internl only</h4>
+          <h4 class="pb-1">Internal only</h4>
           <p>Allow all IDIR users to view this folder and its content</p>
         </div>
         <BucketIdpToggle
diff --git a/frontend/src/components/bucket/BucketTable.vue b/frontend/src/components/bucket/BucketTable.vue
index 0f0d8e3f..3be04723 100644
--- a/frontend/src/components/bucket/BucketTable.vue
+++ b/frontend/src/components/bucket/BucketTable.vue
@@ -325,7 +325,7 @@ watch([getBuckets, permissionStore.getBucketIdpPermissions], ([]) => {
     <Column
       field="publicSharing"
       header="Sharing"
-      style="width: 120px"
+      style="width: 150px"
     >
       >
       <template #body="{ node }">
diff --git a/frontend/src/components/object/ObjectIdpToggle.vue b/frontend/src/components/object/ObjectIdpToggle.vue
index ba2c8e31..c56ea40e 100644
--- a/frontend/src/components/object/ObjectIdpToggle.vue
+++ b/frontend/src/components/object/ObjectIdpToggle.vue
@@ -117,7 +117,7 @@ onMounted(async () => {
   >
     <InputSwitch
       :model-value="switchVal"
-      aria-label="Toggle to make file Internl only"
+      aria-label="Toggle to make file Internal only"
       :disabled="!isToggleEnabled"
       @update:model-value="toggleIdp($event)"
     />
diff --git a/frontend/src/components/object/ObjectPermission.vue b/frontend/src/components/object/ObjectPermission.vue
index 52339466..7e62ab2b 100644
--- a/frontend/src/components/object/ObjectPermission.vue
+++ b/frontend/src/components/object/ObjectPermission.vue
@@ -121,7 +121,7 @@ onBeforeMount(() => {
 
       <div class="flex flex-row pb-3">
         <div class="flex-grow-1">
-          <h4 class="pb-1">Internl only</h4>
+          <h4 class="pb-1">Internal only</h4>
           <p>
             Give access to
             <strong>all IDIR users</strong>
diff --git a/frontend/src/components/object/ObjectTable.vue b/frontend/src/components/object/ObjectTable.vue
index 26812877..c001cc52 100644
--- a/frontend/src/components/object/ObjectTable.vue
+++ b/frontend/src/components/object/ObjectTable.vue
@@ -341,7 +341,7 @@ async function downloadPublicObject(objectId: string) {
         v-if="getIsAuthenticated"
         field="publicSharing"
         header="Sharing"
-        style="width: 120px"
+        style="width: 150px"
       >
         <template #body="{ data }">
           <div class="">
diff --git a/frontend/src/services/bucketService.ts b/frontend/src/services/bucketService.ts
index e6256f5c..2b4ce0f6 100644
--- a/frontend/src/services/bucketService.ts
+++ b/frontend/src/services/bucketService.ts
@@ -31,6 +31,8 @@ export default {
       if (params.active !== undefined) urlLimit -= '&active=false'.length;
       if (params.key) urlLimit -= `&key=${encodeURIComponent(params.key)}`.length;
       if (params.bucketName) urlLimit -= `&bucketName=${encodeURIComponent(params.bucketName)}`.length;
+      if (params.bucket) urlLimit -= `&bucket=${encodeURIComponent(params.bucket)}`.length;
+      if (params.endpoint) urlLimit -= `&endpoint=${encodeURIComponent(params.endpoint)}`.length;
 
       // account for bucketId param
       const BUCKET_ID_PARAM_LENGTH = '&bucketId[]='.length + 36; // uuidv4's have 36 chars, including dashes
diff --git a/frontend/src/store/permissionStore.ts b/frontend/src/store/permissionStore.ts
index 14349e56..f170baf9 100644
--- a/frontend/src/store/permissionStore.ts
+++ b/frontend/src/store/permissionStore.ts
@@ -114,7 +114,7 @@ export const usePermissionStore = defineStore('permission', () => {
     } catch (error: any) {
       toast.error('Adding bucket permission', error.response?.data.detail ?? error, { life: 0 });
     } finally {
-      await fetchBucketPermissions();
+      await fetchBucketPermissions({ userId: userId });
       await mapBucketToUserPermissions(bucketId);
       appStore.endIndeterminateLoading();
     }
@@ -184,7 +184,7 @@ export const usePermissionStore = defineStore('permission', () => {
     } catch (error: any) {
       toast.error('Deleting bucket permission', error.response?.data.detail ?? error, { life: 0 });
     } finally {
-      await fetchBucketPermissions();
+      await fetchBucketPermissions({ userId: userId });
       await mapBucketToUserPermissions(bucketId);
       appStore.endIndeterminateLoading();
     }
diff --git a/frontend/src/types/options/SearchBucketsOptions.ts b/frontend/src/types/options/SearchBucketsOptions.ts
index af6f7fe9..437d3e35 100644
--- a/frontend/src/types/options/SearchBucketsOptions.ts
+++ b/frontend/src/types/options/SearchBucketsOptions.ts
@@ -1,6 +1,8 @@
 export type SearchBucketsOptions = {
   bucketId?: Array<string>;
   bucketName?: string;
+  bucket?: string;
+  endpoint?: string;
   key?: string;
   active?: boolean;
 };
diff --git a/frontend/src/utils/utils.ts b/frontend/src/utils/utils.ts
index 82761a60..69138997 100644
--- a/frontend/src/utils/utils.ts
+++ b/frontend/src/utils/utils.ts
@@ -143,6 +143,19 @@ export function getLastSegment(path: string) {
   return p.slice(p.lastIndexOf('/') + 1);
 }
 
+/**
+ * @function getPenultimateSegment
+ * Returns the second last segment of a path, ignoring trailing slashes
+ * @param {string} path full path (eg: http://abc.com/bucket/test)
+ * @returns {string | undefined} last segment of a path (eg: bucket)
+ */
+export function getParentKey(path: string) {
+  if (path === '/') return undefined;
+  const segments = path.split('/');
+  const filteredSegments = segments.filter((segment) => segment.length > 0);
+  return filteredSegments.length > 1 ? filteredSegments.slice(0, -1).join('/') : '/';
+}
+
 /**
  * @function onDialogHide
  * Return focus to the button which trigger model visibility

From 4ce733f33f36e36d08d686237787595dbc03b590 Mon Sep 17 00:00:00 2001
From: Csaky <tim.csaky@gov.bc.ca>
Date: Tue, 17 Mar 2026 17:32:08 -0700
Subject: [PATCH 5/6] Bug fix for viewing public folder when logged in but have
 no user permissions

---
 frontend/src/components/object/ObjectTable.vue |  2 +-
 frontend/src/views/list/ListObjectsView.vue    | 18 ++++++++++++------
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/frontend/src/components/object/ObjectTable.vue b/frontend/src/components/object/ObjectTable.vue
index c001cc52..d79dc61d 100644
--- a/frontend/src/components/object/ObjectTable.vue
+++ b/frontend/src/components/object/ObjectTable.vue
@@ -120,7 +120,7 @@ const loadLazyData = (event?: any) => {
         limit: lazyParams.value.rows,
         sort: lazyParams.value.sortField,
         order: lazyParams.value.sortOrder === 1 ? 'asc' : 'desc',
-        public: !getIsAuthenticated.value ? true : undefined,
+        public: !getIsAuthenticated.value || bucket?.public ? true : undefined,
         tagset: getIsAuthenticated.value ? lazyParams.value?.filters?.tags.value : undefined
       },
       lazyParams.value?.filters?.meta.value //Header
diff --git a/frontend/src/views/list/ListObjectsView.vue b/frontend/src/views/list/ListObjectsView.vue
index 442a36fc..58584296 100644
--- a/frontend/src/views/list/ListObjectsView.vue
+++ b/frontend/src/views/list/ListObjectsView.vue
@@ -111,12 +111,18 @@ onBeforeMount(async () => {
   if (props?.bucketId) {
     // if logged in, fetch bucket; populate bucket and permissions in store
     if (getIsAuthenticated.value) {
-      bucketResponse = await bucketStore.fetchBuckets({
-        bucketId: props.bucketId,
-        userId: getUserId.value,
-        idp: (getProfile.value as any)?.identity_provider,
-        objectPerms: true
-      });
+      const bucket = await bucketStore.fetchBucket(props.bucketId);
+      if (bucket.public) {
+        bucketResponse = [bucket];
+      } else {
+        // get bucket permitted through User perms
+        bucketResponse = await bucketStore.fetchBuckets({
+          bucketId: props.bucketId,
+          userId: getUserId.value,
+          idp: (getProfile.value as any)?.identity_provider,
+          objectPerms: true
+        });
+      }
     } else {
       bucketResponse = [await bucketStore.fetchBucket(props.bucketId)];
     }

From 6d947bccc8ea0d4c7a8f24d8559cb696c9dab948 Mon Sep 17 00:00:00 2001
From: Csaky <tim.csaky@gov.bc.ca>
Date: Wed, 18 Mar 2026 11:08:47 -0700
Subject: [PATCH 6/6] IDP permission wording changes

---
 .../src/components/bucket/BucketIdpToggle.vue | 22 +++++++++---------
 .../components/bucket/BucketPermission.vue    | 17 +++++---------
 .../components/bucket/BucketPublicToggle.vue  | 11 +++++----
 .../src/components/bucket/BucketTable.vue     |  2 +-
 frontend/src/components/form/SearchUsers.vue  |  4 ++--
 .../components/object/ObjectFileDetails.vue   |  2 +-
 .../src/components/object/ObjectIdpToggle.vue | 23 +++++++++++--------
 .../components/object/ObjectPermission.vue    | 15 ++++--------
 .../src/components/object/ObjectTable.vue     |  2 +-
 frontend/src/views/list/ListObjectsView.vue   |  2 +-
 10 files changed, 46 insertions(+), 54 deletions(-)

diff --git a/frontend/src/components/bucket/BucketIdpToggle.vue b/frontend/src/components/bucket/BucketIdpToggle.vue
index 16479c87..f79b3cf0 100644
--- a/frontend/src/components/bucket/BucketIdpToggle.vue
+++ b/frontend/src/components/bucket/BucketIdpToggle.vue
@@ -46,18 +46,18 @@ const confirm = useConfirm();
 const toggleIdp = async (value: boolean) => {
   if (value) {
     confirm.require({
-      message: "Setting this file to 'Internal only' will allow all IDIR users " + 'to view and download it.',
-      header: 'Set file to Internal only?',
-      acceptLabel: 'Set to Internal only',
+      message: 'This setting will allow all IDIR users to view the contents of this folder using the share link.',
+      header: 'Give access to all IDIR users?',
+      acceptLabel: 'Confirm',
       rejectLabel: 'Cancel',
       accept: () => {
         permissionStore
           .addBucketIdpPermission(props.bucketId, 'idir', 'READ')
           .then(() => {
             isInternal.value = true;
-            toast.success('File set to Internal only', `"${props.bucketName}" is now Internal only`);
+            toast.success('IDIR permission applied', `"${props.bucketName}" can now be viewed by all IDIR users`);
           })
-          .catch((e) => toast.error('Setting file to Internal only failed', e.response?.data.detail, { life: 0 }));
+          .catch((e) => toast.error("Setting folder to 'All IDIR' failed", e.response?.data.detail, { life: 0 }));
       },
       reject: () => (isInternal.value = false),
       onHide: () => (isInternal.value = false)
@@ -65,8 +65,8 @@ const toggleIdp = async (value: boolean) => {
   } else
     confirm.require({
       message:
-        "Setting this file to private will remove 'Internal only' access. " +
-        'Only users with permissions will be able to view or download the file.',
+        "You are removing the 'IDIR Users' sharing access. " +
+        'Only users with permissions will be able to view or download the contents of this folder.',
       header: 'Set file to private?',
       acceptLabel: 'Set to private',
       rejectLabel: 'Cancel',
@@ -75,9 +75,9 @@ const toggleIdp = async (value: boolean) => {
           .deleteBucketIdpPermission(props.bucketId, 'idir', 'READ')
           .then(() => {
             isInternal.value = false;
-            toast.success('File set to private', `"${props.bucketName}" is no longer 'Internal only'`);
+            toast.success('Folder set to private', `"${props.bucketName}" is no longer available to all IDIR users'`);
           })
-          .catch((e) => toast.error('Setting file to private failed', e.response?.data.detail, { life: 0 }));
+          .catch((e) => toast.error('Setting folder to private failed', e.response?.data.detail, { life: 0 }));
       },
       reject: () => (isInternal.value = true),
       onHide: () => (isInternal.value = true)
@@ -141,12 +141,12 @@ watch(props, () => {
         ? ''
         : props.bucketPublic
           ? 'Enabled by Public Sharing'
-          : 'Change the folder\'s \'Internal only\' setting to update this file'
+          : 'To change this, update the parent folder\'s settings'
     "
   >
     <InputSwitch
       :model-value="isInternal"
-      aria-label="Toggle to make file Internal only"
+      aria-label="Toggle to make file available to all IDIR users"
       :disabled="!isToggleEnabled"
       @update:model-value="toggleIdp($event)"
     />
diff --git a/frontend/src/components/bucket/BucketPermission.vue b/frontend/src/components/bucket/BucketPermission.vue
index c71c7f2a..14dda702 100644
--- a/frontend/src/components/bucket/BucketPermission.vue
+++ b/frontend/src/components/bucket/BucketPermission.vue
@@ -82,17 +82,12 @@ onBeforeMount(async () => {
 <template>
   <TabView>
     <TabPanel header="Manage permissions">
-      <h3>Sharing Access</h3>
+      <h3 class="pb-2">Sharing Access</h3>
       <!-- public toggle -->
       <div class="flex pb-3">
         <div class="flex-grow-1">
-          <div class="pb-1">
-            <h4>Set to public</h4>
-            <p>
-              Enabling this shares all files and subfolders. Anyone with the link can view the content without signing
-              in.
-            </p>
-          </div>
+          <h4>Public</h4>
+          <p>Anyone with the share link can view this folder and its contents without signing in.</p>
         </div>
         <BucketPublicToggle
           v-if="bucket && getUserId"
@@ -106,8 +101,8 @@ onBeforeMount(async () => {
 
       <div class="flex flex-row pb-3">
         <div class="flex-grow-1">
-          <h4 class="pb-1">Internal only</h4>
-          <p>Allow all IDIR users to view this folder and its content</p>
+          <h4>IDIR Users</h4>
+          <p>All IDIR users with the share link can view this folder and its contents.</p>
         </div>
         <BucketIdpToggle
           v-if="bucket && getUserId"
@@ -118,7 +113,7 @@ onBeforeMount(async () => {
         />
       </div>
 
-      <h3>User Permissions</h3>
+      <h3 class="my-2">User Permissions</h3>
       <!-- user search -->
       <div v-if="!showSearchUsers">
         <Button
diff --git a/frontend/src/components/bucket/BucketPublicToggle.vue b/frontend/src/components/bucket/BucketPublicToggle.vue
index f9748f9a..9cdd0be8 100644
--- a/frontend/src/components/bucket/BucketPublicToggle.vue
+++ b/frontend/src/components/bucket/BucketPublicToggle.vue
@@ -34,8 +34,9 @@ const togglePublic = async (setPublicValue: boolean) => {
   if (setPublicValue) {
     confirm.require({
       message:
-        'Setting this folder to public will allow anyone to access all subfolders and files. ' +
-        'Anyone with a link can view the contents of this folder in BCBox without signing in.',
+        'This will allow anyone with the folder Share Link to view the content of this folder ' +
+        'and subfolders in BCBox. ' +
+        'All files in this folder can be downloaded by anyone using the public download link.',
       header: 'Set folder to public?',
       acceptLabel: 'Set to public',
       rejectLabel: 'Cancel',
@@ -44,7 +45,7 @@ const togglePublic = async (setPublicValue: boolean) => {
           .togglePublic(props.bucketId, true)
           .then(() => {
             isPublic.value = true;
-            toast.success('Folder set to public', `${props.bucketName} and all its contents are now public.`);
+            toast.success('Folder set to public', `'${props.bucketName}' and all its contents are now public.`);
           })
           .catch((e) => toast.error('Changing public state', e.response?.data.detail ?? e, { life: 0 }));
       },
@@ -54,8 +55,8 @@ const togglePublic = async (setPublicValue: boolean) => {
   } else
     confirm.require({
       message:
-        'Setting this folder to private will remove public access to all subfolders and files. ' +
-        'Only users with permissions will be able to view and download them.',
+        'Setting this folder to private will also remove public access for all subfolders and files. ' +
+        'Only users with permissions will be able to access files in this folder.',
       header: 'Set folder to private?',
       acceptLabel: 'Set to private',
       rejectLabel: 'Cancel',
diff --git a/frontend/src/components/bucket/BucketTable.vue b/frontend/src/components/bucket/BucketTable.vue
index 3be04723..98faf7ad 100644
--- a/frontend/src/components/bucket/BucketTable.vue
+++ b/frontend/src/components/bucket/BucketTable.vue
@@ -340,7 +340,7 @@ watch([getBuckets, permissionStore.getBucketIdpPermissions], ([]) => {
             v-else-if="
               permissionStore.getBucketInternal(node.data.bucketId) && usePermissionStore().isUserElevatedRights()
             "
-            value="Internal (IDIR)"
+            value="IDIR"
             severity="info"
             rounded
             class="mb-1 min-w-100"
diff --git a/frontend/src/components/form/SearchUsers.vue b/frontend/src/components/form/SearchUsers.vue
index 8408817b..18e967ab 100644
--- a/frontend/src/components/form/SearchUsers.vue
+++ b/frontend/src/components/form/SearchUsers.vue
@@ -4,7 +4,7 @@ import { storeToRefs } from 'pinia';
 import { computed, isProxy, onMounted, ref, watch } from 'vue';
 
 import { Button, OverlayPanel, Dropdown, RadioButton } from '@/lib/primevue';
-import { useUserStore, useAuthStore } from '@/store';
+import { useUserStore } from '@/store';
 import { Regex } from '@/utils/constants';
 
 import type { Ref } from 'vue';
@@ -158,7 +158,7 @@ onMounted(() => {
             value="internal"
             @click="onReset"
           />
-          <label for="internal">Government IDIR</label>
+          <label for="internal">IDIR</label>
         </div>
         <div class="flex align-items-center items-center gap-2">
           <RadioButton
diff --git a/frontend/src/components/object/ObjectFileDetails.vue b/frontend/src/components/object/ObjectFileDetails.vue
index da64eb20..47c71c91 100644
--- a/frontend/src/components/object/ObjectFileDetails.vue
+++ b/frontend/src/components/object/ObjectFileDetails.vue
@@ -172,7 +172,7 @@ onMounted(async () => {
             />
             <Tag
               v-else-if="isInternal"
-              value="Internal (IDIR)"
+              value="IDIR"
               severity="info"
               rounded
             />
diff --git a/frontend/src/components/object/ObjectIdpToggle.vue b/frontend/src/components/object/ObjectIdpToggle.vue
index c56ea40e..6ca0a2de 100644
--- a/frontend/src/components/object/ObjectIdpToggle.vue
+++ b/frontend/src/components/object/ObjectIdpToggle.vue
@@ -53,18 +53,21 @@ const confirm = useConfirm();
 const toggleIdp = async (value: boolean) => {
   if (value) {
     confirm.require({
-      message: "Setting this file to 'Internal only' will allow all IDIR users " + 'to view and download it.',
-      header: 'Set file to Internal only?',
-      acceptLabel: 'Set to Internal only',
+      message: 'This setting will allow all IDIR users to view and download this file.',
+      header: 'Give access to all IDIR users?',
+      acceptLabel: 'Confirm',
       rejectLabel: 'Cancel',
       accept: () => {
         permissionStore
           .addObjectIdpPermission(props.objectId, 'idir', 'READ')
           .then(() => {
             switchVal.value = true;
-            toast.success('File set to Internal only', `"${props.objectName}" is now Internal only`);
+            toast.success(
+              'IDIR permission applied',
+              `"${props.objectName}" can now be viewed by all IDIR users with the share link`
+            );
           })
-          .catch((e) => toast.error('Setting file to Internal only failed', e.response?.data.detail, { life: 0 }));
+          .catch((e) => toast.error("Setting file to 'All IDIR' failed", e.response?.data.detail, { life: 0 }));
       },
       reject: () => (switchVal.value = false),
       onHide: () => (switchVal.value = false)
@@ -72,8 +75,8 @@ const toggleIdp = async (value: boolean) => {
   } else
     confirm.require({
       message:
-        "Setting this file to private will remove 'Internal only' access. " +
-        'Only users with permissions will be able to view or download the file.',
+        "You are removing the 'IDIR Users' sharing access. " +
+        'Only users with permissions will be able to view or download the file in BCBox.',
       header: 'Set file to private?',
       acceptLabel: 'Set to private',
       rejectLabel: 'Cancel',
@@ -82,7 +85,7 @@ const toggleIdp = async (value: boolean) => {
           .deleteObjectIdpPermission(props.objectId, 'idir', 'READ')
           .then(() => {
             switchVal.value = false;
-            toast.success('File set to private', `"${props.objectName}" is no longer 'Internal only'`);
+            toast.success('File set to private', `"${props.objectName}" is no longer available to all IDIR users'`);
           })
           .catch((e) => toast.error('Setting file to private failed', e.response?.data.detail, { life: 0 }));
       },
@@ -112,12 +115,12 @@ onMounted(async () => {
         ? ''
         : isPublic
           ? 'Enabled by Public Sharing'
-          : 'Change the folder\'s \'Internal only\' setting to update this file'
+          : 'To change this, update the parent folder\'s settings'
     "
   >
     <InputSwitch
       :model-value="switchVal"
-      aria-label="Toggle to make file Internal only"
+      aria-label="Toggle to make file available to all IDIR users"
       :disabled="!isToggleEnabled"
       @update:model-value="toggleIdp($event)"
     />
diff --git a/frontend/src/components/object/ObjectPermission.vue b/frontend/src/components/object/ObjectPermission.vue
index 7e62ab2b..58f0a5aa 100644
--- a/frontend/src/components/object/ObjectPermission.vue
+++ b/frontend/src/components/object/ObjectPermission.vue
@@ -101,12 +101,8 @@ onBeforeMount(() => {
       <h3 class="mb-2">Sharing Access</h3>
       <div class="flex flex-row pb-3">
         <div class="flex-grow-1">
-          <h4 class="pb-1">Set to public</h4>
-          <p>
-            Setting a file to
-            <strong>public</strong>
-            allows anyone to access it without needing to authenticate.
-          </p>
+          <h4>Public</h4>
+          <p>Anyone with the public download link can download and read this file without signing in.</p>
         </div>
         <ObjectPublicToggle
           v-if="object && getUserId"
@@ -121,11 +117,8 @@ onBeforeMount(() => {
 
       <div class="flex flex-row pb-3">
         <div class="flex-grow-1">
-          <h4 class="pb-1">Internal only</h4>
-          <p>
-            Give access to
-            <strong>all IDIR users</strong>
-          </p>
+          <h4>IDIR Users</h4>
+          <p>All IDIR users with the share link can view all details of this file in BCBox.</p>
         </div>
         <ObjectIdpToggle
           v-if="object && getUserId"
diff --git a/frontend/src/components/object/ObjectTable.vue b/frontend/src/components/object/ObjectTable.vue
index d79dc61d..d8bb25c6 100644
--- a/frontend/src/components/object/ObjectTable.vue
+++ b/frontend/src/components/object/ObjectTable.vue
@@ -355,7 +355,7 @@ async function downloadPublicObject(objectId: string) {
 
             <Tag
               v-if="!props.isBucketPublic && !data.public && (isBucketInternal || isObjectInternal(data.id))"
-              value="Internal (IDIR)"
+              value="IDIR"
               severity="info"
               rounded
               class="mb-1 min-w-100"
diff --git a/frontend/src/views/list/ListObjectsView.vue b/frontend/src/views/list/ListObjectsView.vue
index 58584296..cc328ddd 100644
--- a/frontend/src/views/list/ListObjectsView.vue
+++ b/frontend/src/views/list/ListObjectsView.vue
@@ -158,7 +158,7 @@ onBeforeMount(async () => {
           />
           <Tag
             v-else-if="isInternal"
-            value="Internal (IDIR)"
+            value="IDIR"
             severity="info"
             rounded
           />